[Fedora-directory-commits] mod_nss mod_nss.c, 1.14, 1.15 mod_nss.h, 1.16, 1.17 nss_engine_config.c, 1.13, 1.14 nss_engine_init.c, 1.24, 1.25 nss.conf.in, 1.9, 1.10
Robert Crittenden (rcritten)
fedora-directory-commits at redhat.com
Fri Oct 20 15:23:42 UTC 2006
- Previous message (by thread): [Fedora-directory-commits] ldapserver/m4 mozldap.m4, 1.1, 1.2 nspr.m4, 1.1, 1.2 nss.m4, 1.1, 1.2 svrcore.m4, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] ldapserver Makefile.am, 1.4, 1.5 Makefile.in, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1460
Modified Files:
mod_nss.c mod_nss.h nss_engine_config.c nss_engine_init.c
nss.conf.in
Log Message:
211612
Add support for setting a default OCSP responder.
Index: mod_nss.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- mod_nss.c 9 Aug 2006 19:17:56 -0000 1.14
+++ mod_nss.c 20 Oct 2006 15:23:39 -0000 1.15
@@ -63,6 +63,15 @@
SSL_CMD_SRV(OCSP, FLAG,
"OCSP (Online Certificate Status Protocol)"
"(`on', `off')")
+ SSL_CMD_SRV(OCSPDefaultResponder, FLAG,
+ "Use a default OCSP Responder"
+ "(`on', `off')")
+ SSL_CMD_SRV(OCSPDefaultURL, TAKE1,
+ "The URL of the OCSP default responder"
+ "(`http://example.com:80/ocsp")
+ SSL_CMD_SRV(OCSPDefaultName, TAKE1,
+ "The nickname of the certificate to trust to sign the OCSP responses."
+ "(`OCSP_Cert`")
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"(`startup builtin|file:/path|exec:/path [bytes]')")
Index: mod_nss.h
===================================================================
RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- mod_nss.h 25 Aug 2006 20:19:48 -0000 1.16
+++ mod_nss.h 20 Oct 2006 15:23:39 -0000 1.17
@@ -291,6 +291,9 @@
struct SSLSrvConfigRec {
SSLModConfigRec *mc;
BOOL fips;
+ BOOL ocsp_default;
+ const char *ocsp_url;
+ const char *ocsp_name;
BOOL ocsp;
BOOL enabled;
BOOL proxy_enabled;
@@ -370,6 +373,9 @@
const char *nss_cmd_NSSFIPS(cmd_parms *, void *, int);
const char *nss_cmd_NSSEngine(cmd_parms *, void *, int);
const char *nss_cmd_NSSOCSP(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *, void *, int);
+const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *, void *dcfg, const char *arg);
+const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *, void *, const char *arg);
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSDBPrefix(cmd_parms *cmd, void *dcfg, const char *arg);
const char *nss_cmd_NSSCipherSuite(cmd_parms *cmd, void *dcfg, const char *arg);
Index: nss_engine_config.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_config.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- nss_engine_config.c 25 Aug 2006 20:19:48 -0000 1.13
+++ nss_engine_config.c 20 Oct 2006 15:23:39 -0000 1.14
@@ -126,6 +126,9 @@
sc->mc = NULL;
sc->ocsp = UNSET;
+ sc->ocsp_default = UNSET;
+ sc->ocsp_url = NULL;
+ sc->ocsp_name = NULL;
sc->fips = UNSET;
sc->enabled = UNSET;
sc->proxy_enabled = UNSET;
@@ -197,6 +200,9 @@
cfgMerge(mc, NULL);
cfgMergeBool(ocsp);
+ cfgMergeBool(ocsp_default);
+ cfgMerge(ocsp_url, NULL);
+ cfgMerge(ocsp_name, NULL);
cfgMergeBool(fips);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
@@ -314,6 +320,37 @@
return NULL;
}
+const char *nss_cmd_NSSOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->ocsp_default = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSOCSPDefaultURL(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->ocsp_url = arg;
+
+ return NULL;
+}
+
+const char *nss_cmd_NSSOCSPDefaultName(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->ocsp_name = arg;
+
+ return NULL;
+}
+
const char *nss_cmd_NSSCertificateDatabase(cmd_parms *cmd,
void *dcfg,
const char *arg)
Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- nss_engine_init.c 17 Oct 2006 16:45:57 -0000 1.24
+++ nss_engine_init.c 20 Oct 2006 15:23:39 -0000 1.25
@@ -21,6 +21,7 @@
#include "pk11func.h"
#include "ocsp.h"
#include "keyhi.h"
+#include "cert.h"
static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket);
static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg);
@@ -137,7 +138,8 @@
* passwords.
*/
static void nss_init_SSLLibrary(server_rec *s, int sslenabled, int fipsenabled,
- int ocspenabled)
+ int ocspenabled, int ocspdefault,
+ const char * ocspurl, const char *ocspname)
{
SECStatus rv;
SSLModConfigRec *mc = myModConfig(s);
@@ -280,6 +282,30 @@
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"OCSP is enabled.");
+
+ /* We ensure that ocspname and ocspurl are not NULL in nss_init_Module
+ */
+ if (ocspdefault) {
+ SECStatus sv;
+
+ sv = CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(),
+ ocspurl, ocspname);
+
+ if (sv == SECFailure) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Unable to set OCSP default responder nickname %s.", ocspname);
+ nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+ nss_die();
+ }
+
+ sv = CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
+ if (sv == SECFailure) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Unable to enable the OCSP default responder, %s (this shouldn't happen).", ocspname);
+ nss_log_nss_error(APLOG_MARK, APLOG_INFO, s);
+ nss_die();
+ }
+ }
}
}
@@ -293,6 +319,9 @@
int sslenabled = FALSE;
int fipsenabled = FALSE;
int ocspenabled = FALSE;
+ int ocspdefault = FALSE;
+ const char * ocspurl = NULL;
+ const char * ocspname = NULL;
mc->nInitCount++;
@@ -382,9 +411,21 @@
if (sc->proxy_enabled == UNSET) {
sc->proxy_enabled = FALSE;
}
+
+ if (sc->ocsp_default == TRUE) {
+ ocspdefault = TRUE;
+ ocspurl = sc->ocsp_url;
+ ocspname = sc->ocsp_name;
+ if ((ocspurl == NULL) || (ocspname == NULL)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "When NSSOCSPDefaultResponder is enabled both a default URL (NSSOCSPDefaultUrl) and certificate nickname (NSSOCSPDefaultName) are required.");
+ nss_die();
+ }
+ }
}
- nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled);
+ nss_init_SSLLibrary(base_server, sslenabled, fipsenabled, ocspenabled,
+ ocspdefault, ocspurl, ocspname);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"done Init: Initializing NSS library");
@@ -1061,11 +1102,19 @@
}
if (shutdown) {
+ if (CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB())
+ != SECSuccess) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "Turning off the OCSP default responder failed.");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
+ }
+
SSL_ShutdownServerSessionIDCache();
if ((rv = NSS_Shutdown()) != SECSuccess) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
- "NSS_Shutdown failed: %d", PR_GetError());
+ "NSS_Shutdown failed");
+ nss_log_nss_error(APLOG_MARK, APLOG_ERR, NULL);
}
}
Index: nss.conf.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss.conf.in,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- nss.conf.in 2 Aug 2006 15:14:47 -0000 1.9
+++ nss.conf.in 20 Oct 2006 15:23:39 -0000 1.10
@@ -131,6 +131,18 @@
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
+#
+# Use a default OCSP responder. If enabled this will be used regardless
+# of whether one is included in a client certificate. Note that the
+# server certificate is verified during startup.
+#
+# NSSOCSPDefaultURL defines the service URL of the OCSP responder
+# NSSOCSPDefaultName is the nickname of the certificate to trust to
+# sign the OCSP responses.
+#NSSOCSPDefaultResponder on
+#NSSOCSPDefaultURL http://example.com/ocsp/status
+#NSSOCSPDefaultName ocsp-nickname
+
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
- Previous message (by thread): [Fedora-directory-commits] ldapserver/m4 mozldap.m4, 1.1, 1.2 nspr.m4, 1.1, 1.2 nss.m4, 1.1, 1.2 svrcore.m4, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] ldapserver Makefile.am, 1.4, 1.5 Makefile.in, 1.4, 1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list