Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@buglloc

buglloc/post-ocsp-nginx.patch

Created March 28, 2015 08:52
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save buglloc/6f14a16ab702478d23e3 to your computer and use it in GitHub Desktop.
Save buglloc/6f14a16ab702478d23e3 to your computer and use it in GitHub Desktop.
Download ZIP
Патч для nginx 1.6.2 добавляющий директиву ssl_stapling_force_post, что бы заставить nginx использовать POST запрос к OCSP Responder'у.
Raw
post-ocsp-nginx.patch
Allow force POST OCSP Request
diff -r 16a73c3a8fcd -r d66ba95eb8a9 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Mar 27 23:34:51 2015 +0200
+++ b/src/event/ngx_event_openssl.h Fri Mar 27 23:35:54 2015 +0200
@@ -119,7 +119,7 @@
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+ ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify, ngx_uint_t force_post);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
diff -r 16a73c3a8fcd -r d66ba95eb8a9 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Fri Mar 27 23:34:51 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Fri Mar 27 23:35:54 2015 +0200
@@ -34,6 +34,7 @@
time_t valid;
unsigned verify:1;
+ unsigned force_post:1;
unsigned loading:1;
} ngx_ssl_stapling_t;
@@ -105,6 +106,8 @@
static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
+static ngx_int_t ngx_ssl_ocsp_create_get_http_request(ngx_ssl_ocsp_ctx_t *ctx, ngx_str_t binary);
+static ngx_int_t ngx_ssl_ocsp_create_post_http_request(ngx_ssl_ocsp_ctx_t *ctx, ngx_str_t binary);
static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
@@ -116,7 +119,7 @@
ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
- ngx_str_t *responder, ngx_uint_t verify)
+ ngx_str_t *responder, ngx_uint_t verify, ngx_uint_t force_post)
{
ngx_int_t rc;
ngx_pool_cleanup_t *cln;
@@ -146,6 +149,7 @@
staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000;
staple->verify = verify;
+ staple->force_post = force_post;
if (file->len) {
/* use OCSP response from the file */
@@ -1095,12 +1099,12 @@
{
int len;
u_char *p;
- uintptr_t escape;
- ngx_str_t binary, base64;
- ngx_buf_t *b;
+ ngx_str_t binary;
OCSP_CERTID *id;
OCSP_REQUEST *ocsp;
+ ngx_ssl_stapling_t *staple;
+ staple = ctx->data;
ocsp = OCSP_REQUEST_new();
if (ocsp == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
@@ -1142,10 +1146,35 @@
goto failed;
}
+ OCSP_REQUEST_free(ocsp);
+
+ if (staple->force_post) {
+ return ngx_ssl_ocsp_create_post_http_request(ctx, binary);
+ } else {
+ return ngx_ssl_ocsp_create_get_http_request(ctx, binary);
+ }
+
+
+failed:
+
+ OCSP_REQUEST_free(ocsp);
+
+ return NGX_ERROR;
+}
+
+static ngx_int_t
+ngx_ssl_ocsp_create_get_http_request(ngx_ssl_ocsp_ctx_t *ctx, ngx_str_t binary)
+{
+ int len;
+ u_char *p;
+ ngx_buf_t *b;
+ uintptr_t escape;
+ ngx_str_t base64;
+
base64.len = ngx_base64_encoded_length(binary.len);
base64.data = ngx_palloc(ctx->pool, base64.len);
if (base64.data == NULL) {
- goto failed;
+ return NGX_ERROR;
}
ngx_encode_base64(&base64, &binary);
@@ -1164,7 +1193,7 @@
b = ngx_create_temp_buf(ctx->pool, len);
if (b == NULL) {
- goto failed;
+ return NGX_ERROR;
}
p = b->last;
@@ -1196,14 +1225,72 @@
ctx->request = b;
return NGX_OK;
-
-failed:
-
- OCSP_REQUEST_free(ocsp);
-
- return NGX_ERROR;
}
+static ngx_int_t
+ngx_ssl_ocsp_create_post_http_request(ngx_ssl_ocsp_ctx_t *ctx, ngx_str_t binary)
+{
+ int len;
+ u_char *p;
+ ngx_buf_t *b;
+ ngx_str_t content_length;
+
+ content_length.data = ngx_palloc(ctx->pool, NGX_OFF_T_LEN);
+ if (content_length.data == NULL) {
+ return NGX_ERROR;
+ }
+
+ content_length.len = ngx_sprintf(content_length.data, "%O", binary.len) - content_length.data;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
+ "ssl ocsp request length %z",
+ binary.len);
+
+ len = sizeof("POST ") - 1 + ctx->uri.len + sizeof("/") - 1
+ + sizeof(" HTTP/1.0" CRLF) - 1
+ + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
+ + sizeof("Content-Type: ") - 1 + sizeof("application/ocsp-request") - 1 + sizeof(CRLF) - 1
+ + sizeof("Content-Length: ") - 1 + content_length.len + sizeof(CRLF) - 1
+ + sizeof(CRLF) - 1
+ + binary.len;
+
+
+ b = ngx_create_temp_buf(ctx->pool, len);
+ if (b == NULL) {
+ return NGX_ERROR;
+ }
+
+ p = b->last;
+
+ p = ngx_cpymem(p, "POST ", sizeof("POST ") - 1);
+ p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
+
+ if (ctx->uri.data[ctx->uri.len - 1] != '/') {
+ *p++ = '/';
+ }
+
+ p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
+ p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
+ p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
+ *p++ = CR; *p++ = LF;
+ p = ngx_cpymem(p, "Content-Type: ", sizeof("Content-Type: ") - 1);
+ p = ngx_cpymem(p, "application/ocsp-request", sizeof("application/ocsp-request") - 1);
+ *p++ = CR; *p++ = LF;
+ p = ngx_cpymem(p, "Content-Length: ", sizeof("Content-Length: ") - 1);
+ p = ngx_cpymem(p, content_length.data, content_length.len);
+ *p++ = CR; *p++ = LF;
+
+ /* add "\r\n" at the header end */
+ *p++ = CR; *p++ = LF;
+
+ /* put binary data */
+ p = ngx_cpymem(p, binary.data, binary.len);
+
+ b->last = p;
+ ctx->request = b;
+
+ return NGX_OK;
+}
static ngx_int_t
ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
@@ -1741,7 +1828,7 @@
ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
- ngx_str_t *responder, ngx_uint_t verify)
+ ngx_str_t *responder, ngx_uint_t verify, ngx_uint_t force_post)
{
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, not supported");
diff -r 16a73c3a8fcd -r d66ba95eb8a9 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Mar 27 23:34:51 2015 +0200
+++ b/src/http/modules/ngx_http_ssl_module.c Fri Mar 27 23:35:54 2015 +0200
@@ -224,6 +224,13 @@
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
NULL },
+ { ngx_string("ssl_stapling_force_post"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_force_post),
+ NULL },
+
ngx_null_command
};
@@ -514,6 +521,7 @@
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->stapling_force_post = NGX_CONF_UNSET;
return sscf;
}
@@ -572,6 +580,7 @@
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
+ ngx_conf_merge_value(conf->stapling_force_post, prev->stapling_force_post, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
@@ -743,7 +752,8 @@
if (conf->stapling) {
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
- &conf->stapling_responder, conf->stapling_verify)
+ &conf->stapling_responder,
+ conf->stapling_verify, conf->stapling_force_post)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 16a73c3a8fcd -r d66ba95eb8a9 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Fri Mar 27 23:34:51 2015 +0200
+++ b/src/http/modules/ngx_http_ssl_module.h Fri Mar 27 23:35:54 2015 +0200
@@ -49,6 +49,7 @@
ngx_flag_t stapling;
ngx_flag_t stapling_verify;
+ ngx_flag_t stapling_force_post;
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment