Index: docs/manual/mod/mod_ssl.xml
===================================================================
--- docs/manual/mod/mod_ssl.xml (revision 1827002)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -2298,7 +2298,7 @@
This option enables OCSP validation of the client certificate
chain. If this option is enabled, certificates in the client's
certificate chain will be validated against an OCSP responder after
-normal verification (including CRL checks) have taken place.
The OCSP responder used is either extracted from the certificate itself, or derived by configuration; see the Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1827002) +++ modules/ssl/mod_ssl.c (working copy) @@ -243,8 +243,8 @@ "request body if a per-location SSL renegotiation is required due to " "changed access control requirements") - SSL_CMD_SRV(OCSPEnable, FLAG, - "Enable use of OCSP to verify certificate revocation ('on', 'off')") + SSL_CMD_SRV(OCSPEnable, RAW_ARGS, + "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')") SSL_CMD_SRV(OCSPDefaultResponder, TAKE1, "URL of the default OCSP Responder") SSL_CMD_SRV(OCSPOverrideResponder, FLAG, Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c (revision 1827002) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -137,8 +137,8 @@ mctx->auth.verify_depth = UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET; - mctx->ocsp_enabled = FALSE; - mctx->ocsp_force_default = FALSE; + mctx->ocsp_mask = UNSET; + mctx->ocsp_force_default = UNSET; mctx->ocsp_responder = NULL; mctx->ocsp_resptime_skew = UNSET; mctx->ocsp_resp_maxage = UNSET; @@ -281,7 +281,7 @@ cfgMergeInt(auth.verify_depth); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); - cfgMergeBool(ocsp_enabled); + cfgMergeInt(ocsp_mask); cfgMergeBool(ocsp_force_default); cfgMerge(ocsp_responder, NULL); cfgMergeInt(ocsp_resptime_skew); @@ -1673,12 +1673,47 @@ return NULL; } -const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) +static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms, + const char *arg, + int *mask) { + const char *w; + + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "off")) { + *mask = SSL_OCSPCHECK_NONE; + } + else if (strcEQ(w, "leaf")) { + *mask = SSL_OCSPCHECK_LEAF; + } + else if (strcEQ(w, "on")) { + *mask = SSL_OCSPCHECK_CHAIN; + } + else { + return apr_pstrcat(parms->temp_pool, parms->cmd->name, + ": Invalid argument '", w, "'", + NULL); + } + + while (*arg) { + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "no_ocsp_for_cert_ok")) { + *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK; + } + else { + return apr_pstrcat(parms->temp_pool, parms->cmd->name, + ": Invalid argument '", w, "'", + NULL); + } + } + + return NULL; +} + +const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg) +{ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - sc->server->ocsp_enabled = flag ? TRUE : FALSE; - #ifdef OPENSSL_NO_OCSP if (flag) { return "OCSP support disabled in SSL library; cannot enable " @@ -1686,7 +1721,7 @@ } #endif - return NULL; + return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask); } const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag) @@ -2065,3 +2100,4 @@ } } + Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1827002) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -901,6 +901,10 @@ char *cfgp = mctx->pkp ? "SSLProxy" : "SSL"; int crl_check_mode; + if (mctx->ocsp_mask == UNSET) { + mctx->ocsp_mask = SSL_OCSPCHECK_NONE; + } + if (mctx->crl_check_mask == UNSET) { mctx->crl_check_mask = SSL_CRLCHECK_NONE; } Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1827002) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1578,7 +1578,6 @@ int errdepth = X509_STORE_CTX_get_error_depth(ctx); int depth, verify; - /* * Log verification information */ @@ -1652,7 +1651,8 @@ /* * Perform OCSP-based revocation checks */ - if (ok && sc->server->ocsp_enabled) { + if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || + (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { /* If there was an optional verification error, it's not * possible to perform OCSP validation since the issuer may be * missing/untrusted. Fail in that case. */ Index: modules/ssl/ssl_engine_ocsp.c =================================================================== --- modules/ssl/ssl_engine_ocsp.c (revision 1827002) +++ modules/ssl/ssl_engine_ocsp.c (working copy) @@ -139,7 +139,14 @@ ruri = determine_responder_uri(sc, cert, c, pool); if (!ruri) { - return V_OCSP_CERTSTATUS_UNKNOWN; + if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, + "Skipping OCSP check for certificate cos no OCSP URL" + " found and no_ocsp_for_cert_ok is set"); + return V_OCSP_CERTSTATUS_GOOD; + } else { + return V_OCSP_CERTSTATUS_UNKNOWN; + } } request = create_request(ctx, cert, &certID, s, pool, sc); Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1827002) +++ modules/ssl/ssl_private.h (working copy) @@ -418,6 +418,16 @@ } ssl_crlcheck_t; /** + * OCSP checking mask (mode | flags) + */ +typedef enum { + SSL_OCSPCHECK_NONE = (0), + SSL_OCSPCHECK_LEAF = (1 << 0), + SSL_OCSPCHECK_CHAIN = (1 << 1), + SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2) +} ssl_ocspcheck_t; + +/** * Define the SSL pass phrase dialog types */ typedef enum { @@ -701,7 +711,7 @@ modssl_auth_ctx_t auth; - BOOL ocsp_enabled; /* true if OCSP verification enabled */ + int ocsp_mask; BOOL ocsp_force_default; /* true if the default responder URL is * used regardless of per-cert URL */ const char *ocsp_responder; /* default responder URL */ @@ -844,7 +854,7 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag); -const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg); /* Declare OCSP Responder Certificate Verification Directive */ Index: . =================================================================== --- . (revision 1827002) +++ . (working copy) Property changes on: . ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /httpd/httpd/trunk:r1827001