diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-18 11:26:55 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-05 08:57:22 +0100 |
| commit | d05093aeef58cfdd93b0dd8b253f0adb4d6f93d9 (patch) | |
| tree | ac6f0b4aae29a875dfa964724b7e284284aeba67 | |
| parent | d9ec069c90396b5caf71e65fe430520d9c72802c (diff) | |
| download | gnutls-d05093aeef58cfdd93b0dd8b253f0adb4d6f93d9.tar.gz | |
gnutls-serv: allow loading multiple OCSP responses
That is, allow specifying multiple 'ocsp-response' options on
command line. In addition introduce the option 'ignore-ocsp-response-errors'
which will set the GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK flag
prior to importing the response.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | src/serv-args.def | 11 | ||||
| -rw-r--r-- | src/serv.c | 24 |
2 files changed, 25 insertions, 10 deletions
diff --git a/src/serv-args.def b/src/serv-args.def index bfb53954f5..b59cef9eb0 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -261,10 +261,17 @@ flag = { flag = { name = ocsp-response; - arg-type = file; - file-exists = yes; + arg-type = string; descrip = "The OCSP response to send to client"; doc = "If the client requested an OCSP response, return data from this file to the client."; + stack-arg; + max = NOLIMIT; +}; + +flag = { + name = ignore-ocsp-response-errors; + descrip = "Ignore any errors when setting the OCSP response"; + doc = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates."; }; flag = { diff --git a/src/serv.c b/src/serv.c index f5946a4417..b2de3dcc28 100644 --- a/src/serv.c +++ b/src/serv.c @@ -75,7 +75,10 @@ const char *x509_cafile = NULL; const char *dh_params_file = NULL; const char *x509_crlfile = NULL; const char *priorities = NULL; -const char *status_response_ocsp = NULL; + +const char **ocsp_responses = NULL; +unsigned ocsp_responses_size = 0; + const char *sni_hostname = NULL; int sni_hostname_fatal = 0; @@ -996,6 +999,7 @@ int main(int argc, char **argv) char name[256]; int cert_set = 0; unsigned use_static_dh_params = 0; + unsigned i; cmd_parser(argc, argv); @@ -1091,8 +1095,6 @@ int main(int argc, char **argv) } if (x509_certfile_size > 0 && x509_keyfile_size > 0) { - unsigned i; - for (i = 0; i < x509_certfile_size; i++) { ret = gnutls_certificate_set_x509_key_file (cert_cred, x509_certfile[i], x509_keyfile[i], x509ctype); @@ -1113,12 +1115,16 @@ int main(int argc, char **argv) } /* OCSP status-request TLS extension */ - if (status_response_ocsp) { + if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS)) + gnutls_certificate_set_flags(cert_cred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + + for (i = 0; i < ocsp_responses_size; i++ ) { ret = gnutls_certificate_set_ocsp_status_request_file - (cert_cred, status_response_ocsp, 0); + (cert_cred, ocsp_responses[i], 0); if (ret < 0) { fprintf(stderr, - "Cannot set OCSP status request file: %s\n", + "Cannot set OCSP status request file: %s: %s\n", + ocsp_responses[i], gnutls_strerror(ret)); exit(1); } @@ -1669,8 +1675,10 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(PSKPASSWD)) psk_passwd = OPT_ARG(PSKPASSWD); - if (HAVE_OPT(OCSP_RESPONSE)) - status_response_ocsp = OPT_ARG(OCSP_RESPONSE); + if (HAVE_OPT(OCSP_RESPONSE)) { + ocsp_responses = STACKLST_OPT(OCSP_RESPONSE); + ocsp_responses_size = STACKCT_OPT(OCSP_RESPONSE); + } if (HAVE_OPT(SNI_HOSTNAME)) sni_hostname = OPT_ARG(SNI_HOSTNAME); |