[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 33/156: Add OCSP support

Timo Aaltonen tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:24 UTC 2014


This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.

commit c1a0fd4a77013e02a5368715563c4df8cb5bddb4
Author: rcritten <>
Date:   Tue Sep 6 14:52:05 2005 +0000

    Add OCSP support
---
 docs/mod_nss.html   | 18 +++++++++++++++++-
 mod_nss.c           |  3 +++
 mod_nss.h           |  2 ++
 nss_engine_config.c | 11 +++++++++++
 nss_engine_init.c   | 21 ++++++++++++++++++---
 5 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index 1d9d5d8..3a03c54 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -349,7 +349,9 @@ Example</span><br style="font-weight: bold;">
 <big><big>NSSFIPS</big></big><br>
 <br>
 Enables or disables FIPS 140 mode. This replaces the standard
-internal PKCS#11 module with a FIPS-enabled one. It also forces the enabled protocols to SSLv3 and TLSv1 and disables all ciphers but the FIPS ones.<br>
+internal PKCS#11 module with a FIPS-enabled one. It also forces the
+enabled protocols to SSLv3 and TLSv1 and disables all ciphers but the
+FIPS ones.<br>
 <span style="font-weight: bold;"><br>
 </span>FIPS is disabled by default.<br>
 <span style="font-weight: bold;"><br>
@@ -357,6 +359,20 @@ Example</span><br style="font-weight: bold;">
 <br>
 <code>NSSFIPS on</code><br>
 <br>
+<big><big>NSSOCSP</big></big><br>
+<br>
+Enables or disables <a
+ href="http://www.ietf.org/rfc/rfc2560.txt?number=2560">OCSP</a>
+(Online Certificate Status Protocol). This allows the server to check
+the validity of a client certificate before accepting it.<br>
+<br>
+<span style="font-weight: bold;"></span>OCSP<span
+ style="font-weight: bold;"> </span>is disabled by default.<br>
+<span style="font-weight: bold;"><br>
+Example</span><br style="font-weight: bold;">
+<br>
+<code>NSSOCSP on</code><br>
+<br>
 <big><big>NSSCipherSuite<br>
 </big></big><br>
 A space-separated list of the SSL ciphers used, with the prefix <code>+</code>
diff --git a/mod_nss.c b/mod_nss.c
index bf9e84b..e546680 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -59,6 +59,9 @@ static const command_rec nss_config_cmds[] = {
     SSL_CMD_SRV(PassPhraseHelper, TAKE1,
                 "Process to securely store SSL tokens to handle restarts "
                 "(`/path/to/file`")
+    SSL_CMD_SRV(OCSP, FLAG,
+                "OCSP (Online Certificate Status Protocol)"
+                "(`on', `off')")
 
     /*
      * Per-server context configuration directives
diff --git a/mod_nss.h b/mod_nss.h
index bbb65b4..eb452cb 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -257,6 +257,7 @@ typedef struct {
 struct SSLSrvConfigRec {
     SSLModConfigRec *mc;
     BOOL             fips;
+    BOOL             ocsp;
     BOOL             enabled;
     BOOL             proxy_enabled;
     const char      *vhost_id;
@@ -314,6 +315,7 @@ void *nss_config_server_create(apr_pool_t *p, server_rec *s);
 void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
 const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
 const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
 const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
diff --git a/nss_engine_config.c b/nss_engine_config.c
index b4b0c30..9eb0cea 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -102,6 +102,7 @@ static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p)
     SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
     
     sc->mc                          = NULL;
+    sc->ocsp                        = UNSET;
     sc->fips                        = UNSET;
     sc->enabled                     = UNSET;
     sc->proxy_enabled               = UNSET;
@@ -164,6 +165,7 @@ void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv) {
     SSLSrvConfigRec *mrg  = nss_config_server_new(p);
 
     cfgMerge(mc, NULL);
+    cfgMergeBool(ocsp);
     cfgMergeBool(fips);
     cfgMergeBool(enabled);
     cfgMergeBool(proxy_enabled);
@@ -274,6 +276,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *cmd, void *dcfg, int flag)
     return NULL;
 }
 
+const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->ocsp = flag ? TRUE : FALSE;
+ 
+    return NULL;
+}
+
 const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd,
                                            void *dcfg,
                                            const char *arg)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 0a1250d..7b4860e 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -104,7 +104,8 @@ static void nss_add_version_components(apr_pool_t *p,
  *  If sslenabled is not set then there is no need to prompt for the token
  *  passwords. 
  */
-static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled)
+static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled,
+                                int ocspenabled)
 {
     SECStatus rv;
     SSLModConfigRec *mc = myModConfig(s);
@@ -227,6 +228,12 @@ static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled)
         SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
     else
         SSL_ConfigServerSessionIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
+
+    if (ocspenabled) {
+        CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            "OCSP is enabled.");
+    }
 }
 
 int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
@@ -238,6 +245,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
     server_rec *s;
     int sslenabled = FALSE;
     int fipsenabled = FALSE;
+    int ocspenabled = FALSE;
 
     mc->nInitCount++;
  
@@ -300,6 +308,10 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
             sc->fips = FALSE;
         }
 
+        if (sc->ocsp == UNSET) {
+            sc->ocsp = FALSE;
+        }
+
         /* If any servers have SSL, we want sslenabled set so we
          * can initialize the database. fipsenabled is similar. If
          * any of the servers have it set, they all will need to use
@@ -314,6 +326,10 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
             fipsenabled = TRUE;
         }
 
+        if (sc->ocsp == TRUE) {
+            ocspenabled = TRUE;
+        }
+
         if (sc->enabled == TRUE) {
             sslenabled = TRUE;
         }
@@ -323,7 +339,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
         }
     }
 
-    nss_init_SSLLibrary(base_server, sslenabled, fipsenabled);
+    nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled);
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                  "done Init: Initializing NSS library");
 
@@ -338,7 +354,6 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
                  "Init: Initializing (virtual) servers for SSL");
 
-
     for (s = base_server; s; s = s->next) {
         sc = mySrvConfig(s);
         /*

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git



More information about the Pkg-fedora-ds-maintainers mailing list