diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-01-22 02:38:25 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-01-29 03:10:11 -0500 |
commit | 81e4f4c4a7ce25ba6173d7020b20140559f8ad01 (patch) | |
tree | 311e94c00c8cc6d61f9adf9a874862f73a1c573e /src/mod_gnutls.c | |
parent | 3a2ddc6cf80f66bee0d39152be7fa10c64064115 (diff) | |
download | lighttpd-git-81e4f4c4a7ce25ba6173d7020b20140559f8ad01.tar.gz |
[TLS] detect expired stapling file at startup (fixes #3056)
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)
x-ref:
"OCSP Stapling reload seems not to work"
https://redmine.lighttpd.net/issues/3056
Diffstat (limited to 'src/mod_gnutls.c')
-rw-r--r-- | src/mod_gnutls.c | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index a87b2689..08d84e55 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -893,6 +893,23 @@ mod_gnutls_ocsp_next_update (plugin_cert *pc, log_error_st *errh) #endif +__attribute_cold__ +static void +mod_gnutls_expire_stapling_file (server *srv, plugin_cert *pc) +{ + #if 0 + /* discard expired OCSP stapling response */ + /* Does GnuTLS detect expired OCSP response? */ + /* or must we rebuild gnutls_certificate_credentials_t ? */ + #endif + if (pc->must_staple) + log_error(srv->errh, __FILE__, __LINE__, + "certificate marked OCSP Must-Staple, " + "but OCSP response expired from ssl.stapling-file %s", + pc->ssl_stapling_file->ptr); +} + + static int mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts) { @@ -948,6 +965,8 @@ mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ pc->ssl_stapling_nextts = cur_ts + 3600; pc->ssl_stapling_loadts = 0; } + else if (pc->ssl_stapling_nextts < cur_ts) + mod_gnutls_expire_stapling_file(srv, pc); return 0; } @@ -956,25 +975,13 @@ mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ static int mod_gnutls_refresh_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts) { - if (pc->ssl_stapling_nextts >= 256 - && pc->ssl_stapling_nextts - 256 > cur_ts) + if (pc->ssl_stapling_nextts > cur_ts + 256) return 0; /* skip check for refresh unless close to expire */ struct stat st; if (0 != stat(pc->ssl_stapling_file->ptr, &st) || st.st_mtime <= pc->ssl_stapling_loadts) { - if (pc->ssl_stapling_nextts < cur_ts) { - #if 0 - /* discard expired OCSP stapling response */ - /* Does GnuTLS detect expired OCSP response? */ - /* or must we rebuild gnutls_certificate_credentials_t ? */ - #endif - if (pc->must_staple) { - log_error(srv->errh, __FILE__, __LINE__, - "certificate marked OCSP Must-Staple, " - "but OCSP response expired from ssl.stapling-file %s", - pc->ssl_stapling_file->ptr); - } - } + if (pc->ssl_stapling_nextts < cur_ts) + mod_gnutls_expire_stapling_file(srv, pc); return 0; } return mod_gnutls_reload_stapling_file(srv, pc, cur_ts); |