RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-06 03:59:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: boringssl: basic support for OCSP Stapling

Browse Source 
Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with
'.ocsp' extension. CLI update is not supported.
This commit is contained in:
Emmanuel Hocdet 2017-05-22 14:58:00 +02:00 committed by Willy Tarreau
parent 3854e0102b
commit 2c32d8f379
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/management.txt
View File

@ -1658,7 +1658,8 @@ set ssl ocsp-response <response>
This command is used to update an OCSP Response for a certificate (see "crt" This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of on "bind" lines). Same controls are performed as during the initial loading of
the response. The <response> must be passed as a base64 encoded string of the the response. The <response> must be passed as a base64 encoded string of the
DER encoded response from the OCSP server. DER encoded response from the OCSP server. This command is not supported with
BoringSSL.
Example: Example:
openssl ocsp -issuer issuer.pem -cert server.pem \ openssl ocsp -issuer issuer.pem -cert server.pem \

41
src/ssl_sock.c
View File

@ -1117,6 +1117,43 @@ out:
#endif #endif
#ifdef OPENSSL_IS_BORINGSSL
static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_path)
{
char ocsp_path[MAXPATHLEN+1];
struct stat st;
int fd = -1, r = 0;
snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
if (stat(ocsp_path, &st))
return 0;
fd = open(ocsp_path, O_RDONLY);
if (fd == -1) {
Warning("Error opening OCSP response file %s.\n", ocsp_path);
return -1;
}
trash.len = 0;
while (trash.len < trash.size) {
r = read(fd, trash.str + trash.len, trash.size - trash.len);
if (r < 0) {
if (errno == EINTR)
continue;
Warning("Error reading OCSP response from file %s.\n", ocsp_path);
close(fd);
return -1;
}
else if (r == 0) {
break;
}
trash.len += r;
}
close(fd);
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)trash.str, trash.len);
}
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
#define CT_EXTENSION_TYPE 18 #define CT_EXTENSION_TYPE 18
@ -2743,6 +2780,8 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
rv = 1; rv = 1;
goto end; goto end;
} }
#elif (defined OPENSSL_IS_BORINGSSL)
ssl_sock_set_ocsp_response_from_file(cur_ctx, cur_file);
#endif #endif
} }
} }
@ -2996,6 +3035,8 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
*err ? *err : "", path); *err ? *err : "", path);
return 1; return 1;
} }
#elif (defined OPENSSL_IS_BORINGSSL)
ssl_sock_set_ocsp_response_from_file(ctx, path);
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)