rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement OCSP stapling support 

Currently dogfooding this patch at gemini.sgregoratto.me. To test,
run the following command and look for the "OCSP response" header:

 openssl s_client -connect "gemini.sgregoratto.me:1965" -status
This commit is contained in:
Stephen Gregoratto 2021-10-15 17:30:42 +11:00 committed by omar-polo
parent 387b976b99
commit ff05125eb8
5 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
contrib/gmid Normal file → Executable file
View File

13
gmid.1
View File

@ -412,6 +412,19 @@ Set the param
to
.Ar value
for FastCGI.
.It Ic ocsp Ar file
Specify an OCSP response to be stapled during TLS handshakes
with this server.
The
.Ar file
should contain a DER-format OCSP response retrieved from an
OCSP server for the
.Ic cert
in use.
If the OCSP response in
.Ar file
is empty, OCSP stapling will not be used.
The default is to not use OCSP stapling.
.It Ic root Pa directory
Specify the root directory for this server
.Pq alas the current Dq document root .

25
gmid.c
View File

@ -194,6 +194,20 @@ make_socket(int port, int family)
return sock;
}
static void
add_keypair(struct vhost *h)
{
if (h->ocsp == NULL) {
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
fatal("failed to load the keypair (%s, %s)",
h->cert, h->key);
} else {
if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, h->ocsp) == -1)
fatal("failed to load the keypair (%s, %s, %s)",
h->cert, h->key, h->ocsp);
}
}
void
setup_tls(void)
{
@ -218,12 +232,13 @@ setup_tls(void)
if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
fatal("tls_config_set_keypair_file failed for (%s, %s)",
h->cert, h->key);
if (h->ocsp != NULL &&
tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
fatal("tls_config_set_ocsp_staple_file failed for (%s)",
h->ocsp);
while ((h = TAILQ_NEXT(h, vhosts)) != NULL) {
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
fatal("failed to load the keypair (%s, %s)",
h->cert, h->key);
}
while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
add_keypair(h);
if (tls_configure(ctx, tlsconf) == -1)
fatal("tls_configure: %s", tls_error(ctx));

1
gmid.h
View File

@ -118,6 +118,7 @@ struct vhost {
const char *domain;
const char *cert;
const char *key;
const char *ocsp;
const char *cgi;
const char *entrypoint;

7
parse.y
View File

@ -120,7 +120,7 @@ typedef struct {
%token KEY
%token LANG LOCATION LOG
%token MAP MIME
%token OFF ON
%token OCSP OFF ON
%token PARAM PORT PREFORK PROTOCOLS
%token REQUIRE RETURN ROOT
%token SERVER SPAWN STRIP
@ -271,6 +271,10 @@ servopt : ALIAS string {
only_once(host->key, "key");
host->key = ensure_absolute_path($2);
}
| OCSP string {
only_once(host->ocsp, "ocsp");
host->ocsp = ensure_absolute_path($2);
}
| PARAM string '=' string {
add_param($2, $4, 0);
}
@ -397,6 +401,7 @@ static struct keyword {
{"log", LOG},
{"map", MAP},
{"mime", MIME},
{"ocsp", OCSP},
{"off", OFF},
{"on", ON},
{"param", PARAM},