diff options
-rw-r--r-- | apps/include/apps.h | 8 | ||||
-rw-r--r-- | apps/ocsp.c | 37 | ||||
-rw-r--r-- | apps/s_server.c | 4 | ||||
-rw-r--r-- | doc/man1/openssl-ocsp.pod.in | 21 |
4 files changed, 52 insertions, 18 deletions
diff --git a/apps/include/apps.h b/apps/include/apps.h index 41178a6e22..829c49e34e 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -175,10 +175,10 @@ const EVP_MD *get_digest_from_engine(const char *name); const EVP_CIPHER *get_cipher_from_engine(const char *name); # ifndef OPENSSL_NO_OCSP -OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, - const char *host, const char *path, - const char *port, int use_ssl, - STACK_OF(CONF_VALUE) *headers, +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, + const char *port, const char *path, + const char *proxy, const char *no_proxy, + int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout); # endif diff --git a/apps/ocsp.c b/apps/ocsp.c index dd816c4221..9b26af8655 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -87,6 +87,7 @@ static int index_changed(CA_DB *); typedef enum OPTION_choice { OPT_COMMON, OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, + OPT_PROXY, OPT_NO_PROXY, OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, @@ -158,6 +159,13 @@ const OPTIONS ocsp_options[] = { {"url", OPT_URL, 's', "Responder URL"}, {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, {"port", OPT_PORT, 'p', "Port to run responder on"}, + {"path", OPT_PATH, 's', "Path to use in OCSP request"}, + {"proxy", OPT_PROXY, 's', + "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"}, + {"no_proxy", OPT_NO_PROXY, 's', + "List of addresses of servers not to use HTTP(S) proxy for"}, + {OPT_MORE_STR, 0, 0, + "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"}, {"out", OPT_OUTFILE, '>', "Output filename"}, {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, @@ -184,7 +192,6 @@ const OPTIONS ocsp_options[] = { {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, {"verify_other", OPT_VERIFY_OTHER, '<', "Additional certificates to search for signer"}, - {"path", OPT_PATH, 's', "Path to use in OCSP request"}, {"cert", OPT_CERT, '<', "Certificate to check"}, {"serial", OPT_SERIAL, 's', "Serial number to check"}, {"validity_period", OPT_VALIDITY_PERIOD, 'u', @@ -225,6 +232,8 @@ int ocsp_main(int argc, char **argv) const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; char *header, *value, *respdigname = NULL; char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; + char *opt_proxy = NULL; + char *opt_no_proxy = NULL; char *rca_filename = NULL, *reqin = NULL, *respin = NULL; char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; char *rsignfile = NULL, *rkeyfile = NULL; @@ -287,6 +296,15 @@ int ocsp_main(int argc, char **argv) case OPT_PORT: port = opt_arg(); break; + case OPT_PATH: + path = opt_arg(); + break; + case OPT_PROXY: + opt_proxy = opt_arg(); + break; + case OPT_NO_PROXY: + opt_no_proxy = opt_arg(); + break; case OPT_IGNORE_ERR: ignore_err = 1; break; @@ -398,9 +416,6 @@ int ocsp_main(int argc, char **argv) case OPT_RESPOUT: respout = opt_arg(); break; - case OPT_PATH: - path = opt_arg(); - break; case OPT_ISSUER: issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate"); if (issuer == NULL) @@ -702,8 +717,8 @@ redo_accept: send_ocsp_response(cbio, resp); } else if (host != NULL) { #ifndef OPENSSL_NO_SOCK - resp = process_responder(req, host, path, - port, use_ssl, headers, req_timeout); + resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy, + use_ssl, headers, req_timeout); if (resp == NULL) goto end; #else @@ -1193,10 +1208,10 @@ static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp) } #ifndef OPENSSL_NO_SOCK -OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, - const char *host, const char *path, - const char *port, int use_ssl, - STACK_OF(CONF_VALUE) *headers, +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, + const char *port, const char *path, + const char *proxy, const char *no_proxy, + int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout) { SSL_CTX *ctx = NULL; @@ -1211,7 +1226,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, } resp = (OCSP_RESPONSE *) - app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */, + app_http_post_asn1(host, port, path, proxy, no_proxy, ctx, headers, "application/ocsp-request", (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST), "application/ocsp-response", diff --git a/apps/s_server.c b/apps/s_server.c index 51b5c9d381..2001de426c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -523,8 +523,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx, if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; } - *resp = process_responder(req, host, path, port, use_ssl, NULL, - srctx->timeout); + *resp = process_responder(req, host, port, path, proxy, no_proxy, + use_ssl, NULL /* headers */, srctx->timeout); if (*resp == NULL) { BIO_puts(bio_err, "cert_status: error querying responder\n"); goto done; diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index 9fdb25ba5a..168817f608 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -30,9 +30,11 @@ B<openssl> B<ocsp> [B<-respin> I<file>] [B<-url> I<URL>] [B<-host> I<host>:I<port>] +[B<-path>] +[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>] +[B<-no_proxy> I<addresses>] [B<-header>] [B<-timeout> I<seconds>] -[B<-path>] [B<-VAfile> I<file>] [B<-validity_period> I<n>] [B<-status_age> I<n>] @@ -167,6 +169,23 @@ I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname to use or "/" by default. This is equivalent to specifying B<-url> with scheme http:// and the given hostname, port, and pathname. +=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]> + +The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> +applies, see below. +The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that +the optional C<http://> or C<https://> prefix is ignored, +as well as any userinfo and path components. +Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> +in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. + +=item B<-no_proxy> I<addresses> + +List of IP addresses and/or DNS names of servers +not to use an HTTP(S) proxy for, separated by commas and/or whitespace +(where in the latter case the whole argument must be enclosed in "..."). +Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. + =item B<-header> I<name>=I<value> Adds the header I<name> with the specified I<value> to the OCSP request |