commit ff05125eb81e5bbf2cf05b8434d03bce584936e0
from: Stephen Gregoratto <dev@sgregoratto.me>
via: omar-polo <op@omarpolo.com>
date: Fri Oct 15 07:58:23 2021 UTC

Implement OCSP stapling support

Currently dogfooding this patch at gemini.sgregoratto.me. To test,
run the following command and look for the "OCSP response" header:

 openssl s_client -connect "gemini.sgregoratto.me:1965" -status

commit - 387b976b99496c76d54831c44fb4c218e896c359
commit + ff05125eb81e5bbf2cf05b8434d03bce584936e0
blob - 67e5bc42427eaa7686328286c59bcdfc3017bfbd (mode 644)
blob + 67e5bc42427eaa7686328286c59bcdfc3017bfbd (mode 755)
blob - 39121037af40309a08e71b3e26653c447be9d02f
blob + ebd677331ba559b2062879ca318bed8f7360641d
--- gmid.1
+++ gmid.1
@@ -412,6 +412,19 @@ Set the param
 to
 .Ar value
 for FastCGI.
+.It Ic ocsp Ar file
+Specify an OCSP response to be stapled during TLS handshakes
+with this server.
+The
+.Ar file
+should contain a DER-format OCSP response retrieved from an
+OCSP server for the
+.Ic cert
+in use.
+If the OCSP response in
+.Ar file
+is empty, OCSP stapling will not be used.
+The default is to not use OCSP stapling.
 .It Ic root Pa directory
 Specify the root directory for this server
 .Pq alas the current Dq document root .
blob - 1b91e298a97cc3d37d1a5d4ff58af35f3b2ed3e3
blob + f53733459a801eae947a653fa96e1a69b781ba6e
--- gmid.c
+++ gmid.c
@@ -194,6 +194,20 @@ make_socket(int port, int family)
 	return sock;
 }
 
+static void
+add_keypair(struct vhost *h)
+{
+	if (h->ocsp == NULL) {
+		if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
+			fatal("failed to load the keypair (%s, %s)",
+			    h->cert, h->key);
+	} else {
+		if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, h->ocsp) == -1)
+			fatal("failed to load the keypair (%s, %s, %s)",
+			    h->cert, h->key, h->ocsp);
+	}
+}
+
 void
 setup_tls(void)
 {
@@ -218,12 +232,13 @@ setup_tls(void)
 	if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
 		fatal("tls_config_set_keypair_file failed for (%s, %s)",
 		    h->cert, h->key);
+	if (h->ocsp != NULL &&
+	    tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
+		fatal("tls_config_set_ocsp_staple_file failed for (%s)",
+		    h->ocsp);
 
-	while ((h = TAILQ_NEXT(h, vhosts)) != NULL) {
-		if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
-			fatal("failed to load the keypair (%s, %s)",
-			    h->cert, h->key);
-	}
+	while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
+		add_keypair(h);
 
 	if (tls_configure(ctx, tlsconf) == -1)
 		fatal("tls_configure: %s", tls_error(ctx));
blob - ecd53a26758d1f5c8b06a71a2d45c722a2155544
blob + f7c846e3a8a68e77eb8a86c18d79b002c5a72685
--- gmid.h
+++ gmid.h
@@ -118,6 +118,7 @@ struct vhost {
 	const char	*domain;
 	const char	*cert;
 	const char	*key;
+	const char	*ocsp;
 	const char	*cgi;
 	const char	*entrypoint;
 
blob - 255be767e5e0e7036a0052ae4030359d73847cf0
blob + 8a9bae012f1bfe907bca072dddb481f3b623889f
--- parse.y
+++ parse.y
@@ -120,7 +120,7 @@ typedef struct {
 %token	KEY
 %token	LANG LOCATION LOG
 %token	MAP MIME
-%token	OFF ON
+%token	OCSP OFF ON
 %token	PARAM PORT PREFORK PROTOCOLS
 %token	REQUIRE RETURN ROOT
 %token	SERVER SPAWN STRIP
@@ -271,6 +271,10 @@ servopt		: ALIAS string {
 			only_once(host->key, "key");
 			host->key  = ensure_absolute_path($2);
 		}
+		| OCSP string		{
+			only_once(host->ocsp, "ocsp");
+			host->ocsp = ensure_absolute_path($2);
+		}
 		| PARAM string '=' string {
 			add_param($2, $4, 0);
 		}
@@ -397,6 +401,7 @@ static struct keyword {
 	{"log", LOG},
 	{"map", MAP},
 	{"mime", MIME},
+	{"ocsp", OCSP},
 	{"off", OFF},
 	{"on", ON},
 	{"param", PARAM},