Commit Diff
Diff:
387b976b99496c76d54831c44fb4c218e896c359
ff05125eb81e5bbf2cf05b8434d03bce584936e0
Commit:
ff05125eb81e5bbf2cf05b8434d03bce584936e0
Tree:
85e6c01c598668d3c8bbc2247d93db883451737b
Author:
Stephen Gregoratto <dev@sgregoratto.me>
Date:
Fri Oct 15 07:58:23 2021 UTC
Message:
Implement OCSP stapling support

Currently dogfooding this patch at gemini.sgregoratto.me. To test,
run the following command and look for the "OCSP response" header:

openssl s_client -connect "gemini.sgregoratto.me:1965" -status
commit - 387b976b99496c76d54831c44fb4c218e896c359
commit + ff05125eb81e5bbf2cf05b8434d03bce584936e0
blob - 67e5bc42427eaa7686328286c59bcdfc3017bfbd (mode 644)
blob + 67e5bc42427eaa7686328286c59bcdfc3017bfbd (mode 755)
blob - 39121037af40309a08e71b3e26653c447be9d02f
blob + ebd677331ba559b2062879ca318bed8f7360641d
--- gmid.1
+++ gmid.1
@@ -412,6 +412,19 @@ for FastCGI.
to
.Ar value
for FastCGI.
+.It Ic ocsp Ar file
+Specify an OCSP response to be stapled during TLS handshakes
+with this server.
+The
+.Ar file
+should contain a DER-format OCSP response retrieved from an
+OCSP server for the
+.Ic cert
+in use.
+If the OCSP response in
+.Ar file
+is empty, OCSP stapling will not be used.
+The default is to not use OCSP stapling.
.It Ic root Pa directory
Specify the root directory for this server
.Pq alas the current Dq document root .
blob - 1b91e298a97cc3d37d1a5d4ff58af35f3b2ed3e3
blob + f53733459a801eae947a653fa96e1a69b781ba6e
--- gmid.c
+++ gmid.c
@@ -194,6 +194,20 @@ void
return sock;
}
+static void
+add_keypair(struct vhost *h)
+{
+ if (h->ocsp == NULL) {
+ if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
+ fatal("failed to load the keypair (%s, %s)",
+ h->cert, h->key);
+ } else {
+ if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, h->ocsp) == -1)
+ fatal("failed to load the keypair (%s, %s, %s)",
+ h->cert, h->key, h->ocsp);
+ }
+}
+
void
setup_tls(void)
{
@@ -218,12 +232,13 @@ setup_tls(void)
if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
fatal("tls_config_set_keypair_file failed for (%s, %s)",
h->cert, h->key);
+ if (h->ocsp != NULL &&
+ tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
+ fatal("tls_config_set_ocsp_staple_file failed for (%s)",
+ h->ocsp);
- while ((h = TAILQ_NEXT(h, vhosts)) != NULL) {
- if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
- fatal("failed to load the keypair (%s, %s)",
- h->cert, h->key);
- }
+ while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
+ add_keypair(h);
if (tls_configure(ctx, tlsconf) == -1)
fatal("tls_configure: %s", tls_error(ctx));
blob - ecd53a26758d1f5c8b06a71a2d45c722a2155544
blob + f7c846e3a8a68e77eb8a86c18d79b002c5a72685
--- gmid.h
+++ gmid.h
@@ -118,6 +118,7 @@ struct vhost {
const char *domain;
const char *cert;
const char *key;
+ const char *ocsp;
const char *cgi;
const char *entrypoint;
blob - 255be767e5e0e7036a0052ae4030359d73847cf0
blob + 8a9bae012f1bfe907bca072dddb481f3b623889f
--- parse.y
+++ parse.y
@@ -120,7 +120,7 @@ typedef struct {
%token KEY
%token LANG LOCATION LOG
%token MAP MIME
-%token OFF ON
+%token OCSP OFF ON
%token PARAM PORT PREFORK PROTOCOLS
%token REQUIRE RETURN ROOT
%token SERVER SPAWN STRIP
@@ -271,6 +271,10 @@ servopt : ALIAS string {
only_once(host->key, "key");
host->key = ensure_absolute_path($2);
}
+ | OCSP string {
+ only_once(host->ocsp, "ocsp");
+ host->ocsp = ensure_absolute_path($2);
+ }
| PARAM string '=' string {
add_param($2, $4, 0);
}
@@ -397,6 +401,7 @@ static struct keyword {
{"log", LOG},
{"map", MAP},
{"mime", MIME},
+ {"ocsp", OCSP},
{"off", OFF},
{"on", ON},
{"param", PARAM},
Omar Polo