Erm, "hg export" patch attached, sorry about that.
Best regards,
Piotr Sikora
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1368743844 25200
# Node ID 4fb8fac2b2f58f8946c120a3da9743c4af8dd6ba
# Parent cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
OCSP stapling: better handling of successful OCSP responses.
All successful OCSP responseses, regardless of the certificate status,
should be cached and used for OCSP stapling.
While there, log the certificate's common name and revocation reason,
because certificate status alone isn't very useful information.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
diff -r cfab1e7e4ac2 -r 4fb8fac2b2f5 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:24 2013 -0700
@@ -529,7 +529,7 @@
const
#endif
u_char *p;
- int n;
+ int n, r, idx;
size_t len;
ngx_str_t response;
X509_STORE *store;
@@ -539,6 +539,10 @@
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
+ X509_NAME *name;
+ X509_NAME_ENTRY *entry;
+ ASN1_STRING *str;
+ ngx_str_t s;
staple = ctx->data;
ocsp = NULL;
@@ -606,7 +610,7 @@
goto error;
}
- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, id, &n, &r, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -615,19 +619,43 @@
goto error;
}
- if (n != V_OCSP_CERTSTATUS_GOOD) {
- ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status \"%s\" in the OCSP response",
- OCSP_cert_status_str(n));
- goto error;
- }
-
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}
+ if (n != V_OCSP_CERTSTATUS_GOOD) {
+ ngx_str_set(&s, "unknown");
+
+ if (ctx->cert) {
+ name = X509_get_subject_name(ctx->cert);
+ if (name) {
+ idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (idx != -1) {
+ entry = X509_NAME_get_entry(name, idx);
+ if (entry) {
+ str = X509_NAME_ENTRY_get_data(entry);
+ s.data = ASN1_STRING_data(str);
+ s.len = ASN1_STRING_length(str);
+ }
+ }
+ }
+ }
+
+ if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" (reason: \"%s\") in the "
+ "OCSP response for \"%V\"",
+ OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
+
+ } else {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" in the OCSP response "
+ "for \"%V\"", OCSP_cert_status_str(n), &s);
+ }
+ }
+
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Best regards,
Piotr Sikora
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1368743844 25200
# Node ID 4fb8fac2b2f58f8946c120a3da9743c4af8dd6ba
# Parent cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
OCSP stapling: better handling of successful OCSP responses.
All successful OCSP responseses, regardless of the certificate status,
should be cached and used for OCSP stapling.
While there, log the certificate's common name and revocation reason,
because certificate status alone isn't very useful information.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
diff -r cfab1e7e4ac2 -r 4fb8fac2b2f5 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:24 2013 -0700
@@ -529,7 +529,7 @@
const
#endif
u_char *p;
- int n;
+ int n, r, idx;
size_t len;
ngx_str_t response;
X509_STORE *store;
@@ -539,6 +539,10 @@
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
+ X509_NAME *name;
+ X509_NAME_ENTRY *entry;
+ ASN1_STRING *str;
+ ngx_str_t s;
staple = ctx->data;
ocsp = NULL;
@@ -606,7 +610,7 @@
goto error;
}
- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, id, &n, &r, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -615,19 +619,43 @@
goto error;
}
- if (n != V_OCSP_CERTSTATUS_GOOD) {
- ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status \"%s\" in the OCSP response",
- OCSP_cert_status_str(n));
- goto error;
- }
-
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}
+ if (n != V_OCSP_CERTSTATUS_GOOD) {
+ ngx_str_set(&s, "unknown");
+
+ if (ctx->cert) {
+ name = X509_get_subject_name(ctx->cert);
+ if (name) {
+ idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (idx != -1) {
+ entry = X509_NAME_get_entry(name, idx);
+ if (entry) {
+ str = X509_NAME_ENTRY_get_data(entry);
+ s.data = ASN1_STRING_data(str);
+ s.len = ASN1_STRING_length(str);
+ }
+ }
+ }
+ }
+
+ if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" (reason: \"%s\") in the "
+ "OCSP response for \"%V\"",
+ OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
+
+ } else {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" in the OCSP response "
+ "for \"%V\"", OCSP_cert_status_str(n), &s);
+ }
+ }
+
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel