[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 33/156: Add OCSP support
Timo Aaltonen
tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:24 UTC 2014
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.
commit c1a0fd4a77013e02a5368715563c4df8cb5bddb4
Author: rcritten <>
Date: Tue Sep 6 14:52:05 2005 +0000
Add OCSP support
---
docs/mod_nss.html | 18 +++++++++++++++++-
mod_nss.c | 3 +++
mod_nss.h | 2 ++
nss_engine_config.c | 11 +++++++++++
nss_engine_init.c | 21 ++++++++++++++++++---
5 files changed, 51 insertions(+), 4 deletions(-)
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index 1d9d5d8..3a03c54 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -349,7 +349,9 @@ Example</span><br style="font-weight: bold;">
<big><big>NSSFIPS</big></big><br>
<br>
Enables or disables FIPS 140 mode. This replaces the standard
-internal PKCS#11 module with a FIPS-enabled one. It also forces the enabled protocols to SSLv3 and TLSv1 and disables all ciphers but the FIPS ones.<br>
+internal PKCS#11 module with a FIPS-enabled one. It also forces the
+enabled protocols to SSLv3 and TLSv1 and disables all ciphers but the
+FIPS ones.<br>
<span style="font-weight: bold;"><br>
</span>FIPS is disabled by default.<br>
<span style="font-weight: bold;"><br>
@@ -357,6 +359,20 @@ Example</span><br style="font-weight: bold;">
<br>
<code>NSSFIPS on</code><br>
<br>
+<big><big>NSSOCSP</big></big><br>
+<br>
+Enables or disables <a
+ href="http://www.ietf.org/rfc/rfc2560.txt?number=2560">OCSP</a>
+(Online Certificate Status Protocol). This allows the server to check
+the validity of a client certificate before accepting it.<br>
+<br>
+<span style="font-weight: bold;"></span>OCSP<span
+ style="font-weight: bold;"> </span>is disabled by default.<br>
+<span style="font-weight: bold;"><br>
+Example</span><br style="font-weight: bold;">
+<br>
+<code>NSSOCSP on</code><br>
+<br>
<big><big>NSSCipherSuite<br>
</big></big><br>
A space-separated list of the SSL ciphers used, with the prefix <code>+</code>
diff --git a/mod_nss.c b/mod_nss.c
index bf9e84b..e546680 100644
--- a/mod_nss.c
+++ b/mod_nss.c
@@ -59,6 +59,9 @@ static const command_rec nss_config_cmds[] = {
SSL_CMD_SRV(PassPhraseHelper, TAKE1,
"Process to securely store SSL tokens to handle restarts "
"(`/path/to/file`")
+ SSL_CMD_SRV(OCSP, FLAG,
+ "OCSP (Online Certificate Status Protocol)"
+ "(`on', `off')")
/*
* Per-server context configuration directives
diff --git a/mod_nss.h b/mod_nss.h
index bbb65b4..eb452cb 100644
--- a/mod_nss.h
+++ b/mod_nss.h
@@ -257,6 +257,7 @@ typedef struct {
struct SSLSrvConfigRec {
SSLModConfigRec *mc;
BOOL fips;
+ BOOL ocsp;
BOOL enabled;
BOOL proxy_enabled;
const char *vhost_id;
@@ -314,6 +315,7 @@ void *nss_config_server_create(apr_pool_t *p, server_rec *s);
void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv);
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
diff --git a/nss_engine_config.c b/nss_engine_config.c
index b4b0c30..9eb0cea 100644
--- a/nss_engine_config.c
+++ b/nss_engine_config.c
@@ -102,6 +102,7 @@ static SSLSrvConfigRec *nss_config_server_new(apr_pool_t *p)
SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
sc->mc = NULL;
+ sc->ocsp = UNSET;
sc->fips = UNSET;
sc->enabled = UNSET;
sc->proxy_enabled = UNSET;
@@ -164,6 +165,7 @@ void *nss_config_server_merge(apr_pool_t *p, void *basev, void *addv) {
SSLSrvConfigRec *mrg = nss_config_server_new(p);
cfgMerge(mc, NULL);
+ cfgMergeBool(ocsp);
cfgMergeBool(fips);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
@@ -274,6 +276,15 @@ const char *nss_cmd_NSSFIPS(cmd_parms *cmd, void *dcfg, int flag)
return NULL;
}
+const char *nss_cmd_NSSOCSP(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->ocsp = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd,
void *dcfg,
const char *arg)
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 0a1250d..7b4860e 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -104,7 +104,8 @@ static void nss_add_version_components(apr_pool_t *p,
* If sslenabled is not set then there is no need to prompt for the token
* passwords.
*/
-static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled)
+static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled,
+ int ocspenabled)
{
SECStatus rv;
SSLModConfigRec *mc = myModConfig(s);
@@ -227,6 +228,12 @@ static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled)
SSL_ConfigMPServerSIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
else
SSL_ConfigServerSessionIDCache(mc->session_cache_size, (PRUint32) mc->session_cache_timeout, (PRUint32) mc->ssl3_session_cache_timeout, NULL);
+
+ if (ocspenabled) {
+ CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "OCSP is enabled.");
+ }
}
int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
@@ -238,6 +245,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
server_rec *s;
int sslenabled = FALSE;
int fipsenabled = FALSE;
+ int ocspenabled = FALSE;
mc->nInitCount++;
@@ -300,6 +308,10 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
sc->fips = FALSE;
}
+ if (sc->ocsp == UNSET) {
+ sc->ocsp = FALSE;
+ }
+
/* If any servers have SSL, we want sslenabled set so we
* can initialize the database. fipsenabled is similar. If
* any of the servers have it set, they all will need to use
@@ -314,6 +326,10 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
fipsenabled = TRUE;
}
+ if (sc->ocsp == TRUE) {
+ ocspenabled = TRUE;
+ }
+
if (sc->enabled == TRUE) {
sslenabled = TRUE;
}
@@ -323,7 +339,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
}
}
- nss_init_SSLLibrary(base_server, sslenabled, fipsenabled);
+ nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"done Init: Initializing NSS library");
@@ -338,7 +354,6 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
"Init: Initializing (virtual) servers for SSL");
-
for (s = base_server; s; s = s->next) {
sc = mySrvConfig(s);
/*
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git
More information about the Pkg-fedora-ds-maintainers
mailing list