[PATCH] OCSP stapling: better handling of successful OCSP responses.
Piotr Sikora
piotr at cloudflare.com
Thu May 16 22:42:39 UTC 2013
changeset: 5216:4fb8fac2b2f5
user: Piotr Sikora <piotr at cloudflare.com>
date: Thu May 16 15:37:24 2013 -0700
files: src/event/ngx_event_openssl_stapling.c
description:
OCSP stapling: better handling of successful OCSP responses.
All successful OCSP responseses, regardless of the certificate status,
should be cached and used for OCSP stapling.
While there, log the certificate's common name and revocation reason,
because certificate status alone isn't very useful information.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diff -r cfab1e7e4ac2 -r 4fb8fac2b2f5 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:24 2013 -0700
@@ -529,7 +529,7 @@
const
#endif
u_char *p;
- int n;
+ int n, r, idx;
size_t len;
ngx_str_t response;
X509_STORE *store;
@@ -539,6 +539,10 @@
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
+ X509_NAME *name;
+ X509_NAME_ENTRY *entry;
+ ASN1_STRING *str;
+ ngx_str_t s;
staple = ctx->data;
ocsp = NULL;
@@ -606,7 +610,7 @@
goto error;
}
- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, id, &n, &r, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -615,19 +619,43 @@
goto error;
}
- if (n != V_OCSP_CERTSTATUS_GOOD) {
- ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status \"%s\" in the OCSP response",
- OCSP_cert_status_str(n));
- goto error;
- }
-
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}
+ if (n != V_OCSP_CERTSTATUS_GOOD) {
+ ngx_str_set(&s, "unknown");
+
+ if (ctx->cert) {
+ name = X509_get_subject_name(ctx->cert);
+ if (name) {
+ idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (idx != -1) {
+ entry = X509_NAME_get_entry(name, idx);
+ if (entry) {
+ str = X509_NAME_ENTRY_get_data(entry);
+ s.data = ASN1_STRING_data(str);
+ s.len = ASN1_STRING_length(str);
+ }
+ }
+ }
+ }
+
+ if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" (reason: \"%s\") in the "
+ "OCSP response for \"%V\"",
+ OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
+
+ } else {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" in the OCSP response "
+ "for \"%V\"", OCSP_cert_status_str(n), &s);
+ }
+ }
+
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);
More information about the nginx-devel
mailing list