Author: mdounin
Date: 2012-10-01 12:48:54 +0000 (Mon, 01 Oct 2012)
New Revision: 4877
URL: http://trac.nginx.org/nginx/changeset/4877/nginx
Log:
OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:
.... OCSP responder sent invalid "Content-Type" header: "text/plain"
while requesting certificate status, responder: ...
vs.
.... d2i_OCSP_RESPONSE() failed (SSL:
error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
while requesting certificate status, responder: ...
Modified:
trunk/src/event/ngx_event_openssl_stapling.c
Modified: trunk/src/event/ngx_event_openssl_stapling.c
===================================================================
--- trunk/src/event/ngx_event_openssl_stapling.c 2012-10-01 12:47:55 UTC (rev 4876)
+++ trunk/src/event/ngx_event_openssl_stapling.c 2012-10-01 12:48:54 UTC (rev 4877)
@@ -1425,6 +1425,7 @@
static ngx_int_t
ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
{
+ size_t len;
ngx_int_t rc;
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
@@ -1442,6 +1443,33 @@
ctx->header_end - ctx->header_start,
ctx->header_start);
+ len = ctx->header_name_end - ctx->header_name_start;
+
+ if (len == sizeof("Content-Type") - 1
+ && ngx_strncasecmp(ctx->header_name_start,
+ (u_char *) "Content-Type",
+ sizeof("Content-Type") - 1)
+ == 0)
+ {
+ len = ctx->header_end - ctx->header_start;
+
+ if (len != sizeof("application/ocsp-response") - 1
+ || ngx_strncasecmp(ctx->header_start,
+ (u_char *) "application/ocsp-response",
+ sizeof("application/ocsp-response") - 1)
+ != 0)
+ {
+ ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+ "OCSP responder sent invalid "
+ "\"Content-Type\" header: \"%*s\"",
+ ctx->header_end - ctx->header_start,
+ ctx->header_start);
+ return NGX_ERROR;
+ }
+
+ continue;
+ }
+
/* TODO: honor Content-Length */
continue;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
