| diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h |
| index 24a65a0..a360911 100644 |
| |
| |
| @@ -29,6 +29,7 @@ |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "apr_optional.h" |
| +#include "apr_tables.h" /* for apr_array_header_t */ |
| |
| /* Create a set of SSL_DECLARE(type), SSL_DECLARE_NONSTD(type) and |
| * SSL_DECLARE_DATA with appropriate export and import tags for the platform |
| @@ -86,6 +87,34 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); |
| APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *, |
| ap_conf_vector_t *, |
| int proxy, int enable)); |
| + |
| +/* Check for availability of new hooks */ |
| +#define SSL_CERT_HOOKS |
| +#ifdef SSL_CERT_HOOKS |
| + |
| +/** Lets others add certificate and key files to the given server. |
| + * For each cert a key must also be added. |
| + * @param cert_file and array of const char* with the path to the certificate chain |
| + * @param key_file and array of const char* with the path to the private key file |
| + */ |
| +APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_cert_files, |
| + (server_rec *s, apr_pool_t *p, |
| + apr_array_header_t *cert_files, |
| + apr_array_header_t *key_files)) |
| + |
| +/** In case no certificates are available for a server, this |
| + * lets other modules add a fallback certificate for the time |
| + * being. Regular requests against this server will be answered |
| + * with a 503. |
| + * @param cert_file and array of const char* with the path to the certificate chain |
| + * @param key_file and array of const char* with the path to the private key file |
| + */ |
| +APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, add_fallback_cert_files, |
| + (server_rec *s, apr_pool_t *p, |
| + apr_array_header_t *cert_files, |
| + apr_array_header_t *key_files)) |
| + |
| +#endif /* SSL_CERT_HOOKS */ |
| |
| #endif /* __MOD_SSL_H__ */ |
| /** @} */ |
| diff --git a/modules/ssl/mod_ssl_openssl.h b/modules/ssl/mod_ssl_openssl.h |
| index 0fa654a..d4f684f 100644 |
| |
| |
| @@ -69,5 +69,45 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake, |
| APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake, |
| (conn_rec *c, SSL *ssl)) |
| |
| +/** On TLS connections that do not relate to a configured virtual host, |
| + * allow other modules to provide a X509 certificate and EVP_PKEY to |
| + * be used on the connection. This first hook which does not |
| + * return DECLINED will determine the outcome. */ |
| +APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, answer_challenge, |
| + (conn_rec *c, const char *server_name, |
| + X509 **pcert, EVP_PKEY **pkey)) |
| + |
| +/** During post_config phase, ask around if someone wants to provide |
| + * OCSP stapling status information for the given cert (with the also |
| + * provided issuer certificate). The first hook which does not |
| + * return DECLINED promises to take responsibility (and respond |
| + * in later calls via hook ssl_get_stapling_status). |
| + * If no hook takes over, mod_ssl's own stapling implementation will |
| + * be applied (if configured). |
| + */ |
| +APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_stapling_status, |
| + (server_rec *s, apr_pool_t *p, |
| + X509 *cert, X509 *issuer)) |
| + |
| +/** Anyone answering positive to ssl_init_stapling_status for a |
| + * certificate, needs to register here and supply the actual OCSP stapling |
| + * status data (OCSP_RESP) for a new connection. |
| + * A hook supplying the response data must return APR_SUCCESS. |
| + * The data is returned in DER encoded bytes via pder and pderlen. The |
| + * returned pointer may be NULL, which indicates that data is (currently) |
| + * unavailable. |
| + * If DER data is returned, it MUST come from a response with |
| + * status OCSP_RESPONSE_STATUS_SUCCESSFUL and V_OCSP_CERTSTATUS_GOOD |
| + * or V_OCSP_CERTSTATUS_REVOKED, not V_OCSP_CERTSTATUS_UNKNOWN. This means |
| + * errors in OCSP retrieval are to be handled/logged by the hook and |
| + * are not done by mod_ssl. |
| + * Any DER bytes returned MUST be allocated via malloc() and ownership |
| + * passes to mod_ssl. Meaning, the hook must return a malloced copy of |
| + * the data it has. mod_ssl (or OpenSSL) will free it. |
| + */ |
| +APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, get_stapling_status, |
| + (unsigned char **pder, int *pderlen, |
| + conn_rec *c, server_rec *s, X509 *cert)) |
| + |
| #endif /* __MOD_SSL_OPENSSL_H__ */ |
| /** @} */ |
| diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
| index 21e41e2..ef631c1 100644 |
| |
| |
| @@ -36,6 +36,25 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server, |
| (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx), |
| (s,p,is_proxy,ctx), OK, DECLINED) |
| |
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files, |
| + (server_rec *s, apr_pool_t *p, |
| + apr_array_header_t *cert_files, apr_array_header_t *key_files), |
| + (s, p, cert_files, key_files), |
| + OK, DECLINED) |
| + |
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_fallback_cert_files, |
| + (server_rec *s, apr_pool_t *p, |
| + apr_array_header_t *cert_files, apr_array_header_t *key_files), |
| + (s, p, cert_files, key_files), |
| + OK, DECLINED) |
| + |
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge, |
| + (conn_rec *c, const char *server_name, |
| + X509 **pcert, EVP_PKEY **pkey), |
| + (c, server_name, pcert, pkey), |
| + DECLINED, DECLINED) |
| + |
| + |
| /* _________________________________________________________________ |
| ** |
| ** Module Initialization |
| @@ -165,18 +184,18 @@ static void ssl_add_version_components(apr_pool_t *p, |
| modver, AP_SERVER_BASEVERSION, incver); |
| } |
| |
| -/**************************************************************************************************/ |
| -/* Managed Domains Interface */ |
| - |
| -static APR_OPTIONAL_FN_TYPE(md_is_managed) *md_is_managed; |
| -static APR_OPTIONAL_FN_TYPE(md_get_certificate) *md_get_certificate; |
| -static APR_OPTIONAL_FN_TYPE(md_is_challenge) *md_is_challenge; |
| +/* _________________________________________________________________ |
| +** |
| +** Let other answer special connection attempts. |
| +** Used in ACME challenge handling by mod_md. |
| +** _________________________________________________________________ |
| +*/ |
| |
| int ssl_is_challenge(conn_rec *c, const char *servername, |
| X509 **pcert, EVP_PKEY **pkey) |
| { |
| - if (md_is_challenge) { |
| - return md_is_challenge(c, servername, pcert, pkey); |
| + if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, pcert, pkey)) { |
| + return 1; |
| } |
| *pcert = NULL; |
| *pkey = NULL; |
| @@ -231,16 +250,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, |
| ssl_config_global_create(base_server); /* just to avoid problems */ |
| ssl_config_global_fix(mc); |
| |
| - /* Initialize our interface to mod_md, if it is loaded |
| - */ |
| - md_is_managed = APR_RETRIEVE_OPTIONAL_FN(md_is_managed); |
| - md_get_certificate = APR_RETRIEVE_OPTIONAL_FN(md_get_certificate); |
| - md_is_challenge = APR_RETRIEVE_OPTIONAL_FN(md_is_challenge); |
| - if (!md_is_managed || !md_get_certificate) { |
| - md_is_managed = NULL; |
| - md_get_certificate = NULL; |
| - } |
| - |
| /* |
| * try to fix the configuration and open the dedicated SSL |
| * logfile as early as possible |
| @@ -1392,8 +1401,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, |
| * loaded via SSLOpenSSLConfCmd Certificate), so for 1.0.2 and |
| * later, we defer to the code in ssl_init_server_ctx. |
| */ |
| - if ((mctx->stapling_enabled == TRUE) && |
| - !ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) { |
| + if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) { |
| ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567) |
| "Unable to configure certificate %s for stapling", |
| key_id); |
| @@ -1788,11 +1796,13 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, |
| apr_array_header_t *pphrases) |
| { |
| apr_status_t rv; |
| + modssl_pk_server_t *pks; |
| #ifdef HAVE_SSL_CONF_CMD |
| ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts; |
| SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config; |
| int i; |
| #endif |
| + int n; |
| |
| /* |
| * Check for problematic re-initializations |
| @@ -1804,50 +1814,24 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, |
| return APR_EGENERAL; |
| } |
| |
| - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10083) |
| - "Init: (%s) mod_md support is %s.", ssl_util_vhostid(p, s), |
| - md_is_managed? "available" : "unavailable"); |
| - if (md_is_managed && md_is_managed(s)) { |
| - modssl_pk_server_t *const pks = sc->server->pks; |
| - if (pks->cert_files->nelts > 0 || pks->key_files->nelts > 0) { |
| - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10084) |
| - "Init: (%s) You configured certificate/key files on this host, but " |
| - "is is covered by a Managed Domain. You need to remove these directives " |
| - "for the Managed Domain to take over.", ssl_util_vhostid(p, s)); |
| - } |
| - else { |
| - const char *key_file, *cert_file, *chain_file; |
| - |
| - key_file = cert_file = chain_file = NULL; |
| - |
| - if (md_get_certificate) { |
| - rv = md_get_certificate(s, p, &key_file, &cert_file); |
| - } |
| - else { |
| - rv = APR_ENOTIMPL; |
| - } |
| - |
| - if (key_file && cert_file) { |
| - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, |
| - "%s: installing key=%s, cert=%s, chain=%s", |
| - ssl_util_vhostid(p, s), key_file, cert_file, chain_file); |
| - APR_ARRAY_PUSH(pks->key_files, const char *) = key_file; |
| - APR_ARRAY_PUSH(pks->cert_files, const char *) = cert_file; |
| - sc->server->cert_chain = chain_file; |
| - } |
| - |
| - if (APR_STATUS_IS_EAGAIN(rv)) { |
| - /* Managed Domain not ready yet. This is not a reason to fail the config */ |
| - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) |
| - "Init: %s will respond with '503 Service Unavailable' for now. This " |
| - "host is part of a Managed Domain, but no SSL certificate is " |
| - "available (yet).", ssl_util_vhostid(p, s)); |
| - pks->service_unavailable = 1; |
| - } |
| - else if (rv != APR_SUCCESS) { |
| - return rv; |
| - } |
| - } |
| + /* Allow others to provide certificate files */ |
| + pks = sc->server->pks; |
| + n = pks->cert_files->nelts; |
| + ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files); |
| + |
| + if (n < pks->cert_files->nelts) { |
| + /* this overrides any old chain configuration */ |
| + sc->server->cert_chain = NULL; |
| + } |
| + |
| + if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) { |
| + ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files); |
| + |
| + pks->service_unavailable = 1; |
| + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085) |
| + "Init: %s will respond with '503 Service Unavailable' for now. There " |
| + "are no SSL certificates configured and no other module contributed any.", |
| + ssl_util_vhostid(p, s)); |
| } |
| |
| if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) { |
| @@ -1900,7 +1884,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, |
| * (late) point makes sure that we catch both certificates loaded |
| * via SSLCertificateFile and SSLOpenSSLConfCmd Certificate. |
| */ |
| - if (sc->server->stapling_enabled == TRUE) { |
| + do { |
| X509 *cert; |
| int i = 0; |
| int ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx, |
| @@ -1917,7 +1901,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, |
| SSL_CERT_SET_NEXT); |
| i++; |
| } |
| - } |
| + } while(0); |
| #endif |
| |
| #ifdef HAVE_TLS_SESSION_TICKETS |
| diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c |
| index e6a9f67..a5e86e4 100644 |
| |
| |
| @@ -2303,6 +2303,37 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) |
| } |
| |
| #ifdef HAVE_TLSEXT |
| + |
| +static apr_status_t set_challenge_creds(conn_rec *c, const char *servername, |
| + SSL *ssl, X509 *cert, EVP_PKEY *key) |
| +{ |
| + SSLConnRec *sslcon = myConnConfig(c); |
| + |
| + sslcon->service_unavailable = 1; |
| + if ((SSL_use_certificate(ssl, cert) < 1)) { |
| + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086) |
| + "Failed to configure challenge certificate %s", |
| + servername); |
| + return APR_EGENERAL; |
| + } |
| + |
| + if (!SSL_use_PrivateKey(ssl, key)) { |
| + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087) |
| + "error '%s' using Challenge key: %s", |
| + ERR_error_string(ERR_peek_last_error(), NULL), |
| + servername); |
| + return APR_EGENERAL; |
| + } |
| + |
| + if (SSL_check_private_key(ssl) < 1) { |
| + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088) |
| + "Challenge certificate and private key %s " |
| + "do not match", servername); |
| + return APR_EGENERAL; |
| + } |
| + return APR_SUCCESS; |
| +} |
| + |
| /* |
| * This function sets the virtual host from an extended |
| * client hello with a server name indication extension ("SNI", cf. RFC 6066). |
| @@ -2332,30 +2363,12 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl) |
| return APR_SUCCESS; |
| } |
| else if (ssl_is_challenge(c, servername, &cert, &key)) { |
| - |
| - sslcon->service_unavailable = 1; |
| - if ((SSL_use_certificate(ssl, cert) < 1)) { |
| - ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086) |
| - "Failed to configure challenge certificate %s", |
| - servername); |
| + /* With ACMEv1 we can have challenge connections to a unknown domains |
| + * that need to be answered with a special certificate and will |
| + * otherwise not answer any requests. */ |
| + if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) { |
| return APR_EGENERAL; |
| } |
| - |
| - if (!SSL_use_PrivateKey(ssl, key)) { |
| - ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087) |
| - "error '%s' using Challenge key: %s", |
| - ERR_error_string(ERR_peek_last_error(), NULL), |
| - servername); |
| - return APR_EGENERAL; |
| - } |
| - |
| - if (SSL_check_private_key(ssl) < 1) { |
| - ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088) |
| - "Challenge certificate and private key %s " |
| - "do not match", servername); |
| - return APR_EGENERAL; |
| - } |
| - |
| } |
| else { |
| ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044) |
| @@ -2648,6 +2661,23 @@ int ssl_callback_alpn_select(SSL *ssl, |
| proposed); |
| return SSL_TLSEXT_ERR_ALERT_FATAL; |
| } |
| + |
| + /* protocol was switched, this could be a challenge protocol such as "acme-tls/1". |
| + * For that to work, we need to allow overrides to our ssl certificate. |
| + * However, exclude challenge checks on our best known traffic protocol. |
| + * (http/1.1 is the default, we never switch to it anyway.) |
| + */ |
| + if (strcmp("h2", proposed)) { |
| + const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
| + X509 *cert; |
| + EVP_PKEY *key; |
| + |
| + if (ssl_is_challenge(c, servername, &cert, &key)) { |
| + if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) { |
| + return SSL_TLSEXT_ERR_ALERT_FATAL; |
| + } |
| + } |
| + } |
| } |
| |
| return SSL_TLSEXT_ERR_OK; |
| diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c |
| index c3e2cfa..4df0a9a 100644 |
| |
| |
| @@ -31,12 +31,28 @@ |
| #include "ssl_private.h" |
| #include "ap_mpm.h" |
| #include "apr_thread_mutex.h" |
| +#include "mod_ssl_openssl.h" |
| + |
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status, |
| + (server_rec *s, apr_pool_t *p, |
| + X509 *cert, X509 *issuer), |
| + (s, p, cert, issuer), |
| + DECLINED, DECLINED) |
| + |
| +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, get_stapling_status, |
| + (unsigned char **pder, int *pderlen, |
| + conn_rec *c, server_rec *s, X509 *cert), |
| + (pder, pderlen, c, s, cert), |
| + DECLINED, DECLINED) |
| + |
| |
| #ifdef HAVE_OCSP_STAPLING |
| |
| static int stapling_cache_mutex_on(server_rec *s); |
| static int stapling_cache_mutex_off(server_rec *s); |
| |
| +static int stapling_cb(SSL *ssl, void *arg); |
| + |
| /** |
| * Maxiumum OCSP stapling response size. This should be the response for a |
| * single certificate and will typically include the responder certificate chain |
| @@ -119,7 +135,38 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, |
| OCSP_CERTID *cid = NULL; |
| STACK_OF(OPENSSL_STRING) *aia = NULL; |
| |
| - if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
| + if (x == NULL) |
| + return 0; |
| + |
| + if (!(issuer = stapling_get_issuer(mctx, x))) { |
| + /* In Apache pre 2.4.40, we use to come here only when mod_ssl stapling |
| + * was enabled. With the new hooks, we give other modules the chance |
| + * to provide stapling status. However, we do not want to log ssl errors |
| + * where we did not do so in the past. */ |
| + if (mctx->stapling_enabled == TRUE) { |
| + ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) |
| + "ssl_stapling_init_cert: can't retrieve issuer " |
| + "certificate!"); |
| + return 0; |
| + } |
| + return 1; |
| + } |
| + |
| + if (ssl_run_init_stapling_status(s, p, x, issuer) == APR_SUCCESS) { |
| + /* Someone's taken over or mod_ssl's own implementation is not enabled */ |
| + if (mctx->stapling_enabled != TRUE) { |
| + SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb); |
| + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() "OCSP stapling added via hook"); |
| + } |
| + return 1; |
| + } |
| + |
| + if (mctx->stapling_enabled != TRUE) { |
| + /* mod_ssl's own implementation is not enabled */ |
| + return 1; |
| + } |
| + |
| + if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) |
| return 0; |
| |
| cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
| @@ -139,13 +186,6 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, |
| return 1; |
| } |
| |
| - if (!(issuer = stapling_get_issuer(mctx, x))) { |
| - ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) |
| - "ssl_stapling_init_cert: can't retrieve issuer " |
| - "certificate!"); |
| - return 0; |
| - } |
| - |
| cid = OCSP_cert_to_id(NULL, x, issuer); |
| X509_free(issuer); |
| if (!cid) { |
| @@ -182,18 +222,16 @@ int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, |
| mctx->sc->vhost_id); |
| |
| apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf); |
| - |
| + |
| return 1; |
| } |
| |
| -static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx, |
| +static certinfo *stapling_get_certinfo(server_rec *s, X509 *x, modssl_ctx_t *mctx, |
| SSL *ssl) |
| { |
| certinfo *cinf; |
| - X509 *x; |
| UCHAR idx[SHA_DIGEST_LENGTH]; |
| - x = SSL_get_certificate(ssl); |
| - if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) |
| + if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) |
| return NULL; |
| cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); |
| if (cinf && cinf->cid) |
| @@ -750,18 +788,34 @@ static int stapling_cb(SSL *ssl, void *arg) |
| OCSP_RESPONSE *rsp = NULL; |
| int rv; |
| BOOL ok = TRUE; |
| + X509 *x; |
| + unsigned char *rspder = NULL; |
| + int rspderlen; |
| |
| + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) |
| + "stapling_cb: OCSP Stapling callback called"); |
| + |
| + x = SSL_get_certificate(ssl); |
| + if (x == NULL) { |
| + return SSL_TLSEXT_ERR_NOACK; |
| + } |
| + |
| + if (ssl_run_get_stapling_status(&rspder, &rspderlen, conn, s, x) == APR_SUCCESS) { |
| + /* a hook handles stapling for this certicate and determines the response */ |
| + if (rspder == NULL || rspderlen <= 0) { |
| + return SSL_TLSEXT_ERR_NOACK; |
| + } |
| + SSL_set_tlsext_status_ocsp_resp(ssl, rspder, rspderlen); |
| + return SSL_TLSEXT_ERR_OK; |
| + } |
| + |
| if (sc->server->stapling_enabled != TRUE) { |
| ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01950) |
| "stapling_cb: OCSP Stapling disabled"); |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) |
| - "stapling_cb: OCSP Stapling callback called"); |
| - |
| - cinf = stapling_get_certinfo(s, mctx, ssl); |
| - if (cinf == NULL) { |
| + if ((cinf = stapling_get_certinfo(s, x, mctx, ssl)) == NULL) { |
| return SSL_TLSEXT_ERR_NOACK; |
| } |
| |
| @@ -864,9 +918,10 @@ apr_status_t modssl_init_stapling(server_rec *s, apr_pool_t *p, |
| if (mctx->stapling_responder_timeout == UNSET) { |
| mctx->stapling_responder_timeout = 10 * APR_USEC_PER_SEC; |
| } |
| + |
| SSL_CTX_set_tlsext_status_cb(ctx, stapling_cb); |
| ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01960) "OCSP stapling initialized"); |
| - |
| + |
| return APR_SUCCESS; |
| } |
| |