[PATCH] OCSP stapling: better handling of successful OCSP responses.

Maxim Dounin mdounin at mdounin.ru
Thu May 23 15:24:49 UTC 2013 

Hello!

On Tue, May 21, 2013 at 05:17:52PM -0700, Piotr Sikora wrote:

[...]

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1369181290 25200
> # Node ID 7f52714a0b6a4229ab2fa9e640edbf80060eaf34
> # Parent  1d68b502088c9d6e6603e9699354e36d03d77f9c
> OCSP stapling: add ssl_stapling_strict directive.
> 
> When turned on (default), nginx will cache only OCSP responeses
> with "good" certificate status.
> 
> When turned off, nginx will cache all successful OCSP responseses,
> regardless of the certificate status.

Both directive name and flag name looks Directive name doesn't looks good.

> While there, log certificate's common name and revocation reason,
> because certificate status alone isn't very useful information.

You may want to submit this as a separate patch.  It might be also 
good idea to print certificate's information in 
ngx_ssl_ocsp_log_error().

It might be also good idea to use certificate file name instead of 
certificate subject (the same subject can be used for more than 
one certificate... on the other hand, there may be more than one 
certificate in a file - but only first one will be used for 
stapling).

[...]

> @@ -615,19 +621,47 @@
>          goto error;
>      }
> 
> -    if (n != V_OCSP_CERTSTATUS_GOOD) {
> -        ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
> -                      "certificate status \"%s\" in the OCSP response",
> -                      OCSP_cert_status_str(n));
> -        goto error;
> -    }
> -

I don't think that changing check order is a good idea.

>      if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
>          ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
>                        "OCSP_check_validity() failed");
>          goto error;
>      }
> 
> +    if (n != V_OCSP_CERTSTATUS_GOOD) {
> +        ngx_str_set(&s, "unknown");
> +
> +        if (ctx->cert) {
> +            name = X509_get_subject_name(ctx->cert);
> +            if (name) {
> +                idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
> +                if (idx != -1) {
> +                    entry = X509_NAME_get_entry(name, idx);
> +                    if (entry) {
> +                        str = X509_NAME_ENTRY_get_data(entry);
> +                        s.data = ASN1_STRING_data(str);
> +                        s.len = ASN1_STRING_length(str);
> +                    }
> +                }
> +            }
> +        }

See above, it probably should be moved to 
ngx_ssl_ocsp_log_error(), and changed to print certificate file 
name instead.

> +
> +        if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
> +            ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
> +                          "certificate status \"%s\" (reason: \"%s\") in the "
> +                          "OCSP response for \"%V\"",
> +                          OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
> +
> +        } else {
> +            ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
> +                          "certificate status \"%s\" in the OCSP response "
> +                          "for \"%V\"", OCSP_cert_status_str(n), &s);
> +        }

Is printing revocation reason is really needed in error logs?  It 
looks like too many lines of code just to print an additional 
minor detail.

[...]

-- 
Maxim Dounin
http://nginx.org/en/donation.html

More information about the nginx-devel mailing list