Welcome! Log In Create A New Profile

[PATCH] OCSP stapling: better handling of successful OCSP responses.

Forum List Message List New Topic Print View

Piotr Sikora

May 16, 2013 06:44PM

changeset: 5216:4fb8fac2b2f5
user: Piotr Sikora <piotr@cloudflare.com>
date: Thu May 16 15:37:24 2013 -0700
files: src/event/ngx_event_openssl_stapling.c
description:
OCSP stapling: better handling of successful OCSP responses.

All successful OCSP responseses, regardless of the certificate status,
should be cached and used for OCSP stapling.

While there, log the certificate's common name and revocation reason,
because certificate status alone isn't very useful information.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r cfab1e7e4ac2 -r 4fb8fac2b2f5 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:24 2013 -0700
@@ -529,7 +529,7 @@
const
#endif
u_char *p;
- int n;
+ int n, r, idx;
size_t len;
ngx_str_t response;
X509_STORE *store;
@@ -539,6 +539,10 @@
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
+ X509_NAME *name;
+ X509_NAME_ENTRY *entry;
+ ASN1_STRING *str;
+ ngx_str_t s;

staple = ctx->data;
ocsp = NULL;
@@ -606,7 +610,7 @@
goto error;
}

- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, id, &n, &r, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -615,19 +619,43 @@
goto error;
}

- if (n != V_OCSP_CERTSTATUS_GOOD) {
- ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status \"%s\" in the OCSP response",
- OCSP_cert_status_str(n));
- goto error;
- }
-
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}

+ if (n != V_OCSP_CERTSTATUS_GOOD) {
+ ngx_str_set(&s, "unknown");
+
+ if (ctx->cert) {
+ name = X509_get_subject_name(ctx->cert);
+ if (name) {
+ idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (idx != -1) {
+ entry = X509_NAME_get_entry(name, idx);
+ if (entry) {
+ str = X509_NAME_ENTRY_get_data(entry);
+ s.data = ASN1_STRING_data(str);
+ s.len = ASN1_STRING_length(str);
+ }
+ }
+ }
+ }
+
+ if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" (reason: \"%s\") in the "
+ "OCSP response for \"%V\"",
+ OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
+
+ } else {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" in the OCSP response "
+ "for \"%V\"", OCSP_cert_status_str(n), &s);
+ }
+ }
+
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	902	May 16, 2013 06:44PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	390	May 16, 2013 07:12PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	426	May 17, 2013 09:22AM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	499	May 17, 2013 07:34PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	519	May 20, 2013 06:58AM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	498	May 21, 2013 08:20PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	442	May 23, 2013 11:26AM