mirror of https://github.com/omar-polo/gmid.git
Implement OCSP stapling support
Currently dogfooding this patch at gemini.sgregoratto.me. To test, run the following command and look for the "OCSP response" header: openssl s_client -connect "gemini.sgregoratto.me:1965" -status
This commit is contained in:
parent
387b976b99
commit
ff05125eb8
13
gmid.1
13
gmid.1
|
@ -412,6 +412,19 @@ Set the param
|
|||
to
|
||||
.Ar value
|
||||
for FastCGI.
|
||||
.It Ic ocsp Ar file
|
||||
Specify an OCSP response to be stapled during TLS handshakes
|
||||
with this server.
|
||||
The
|
||||
.Ar file
|
||||
should contain a DER-format OCSP response retrieved from an
|
||||
OCSP server for the
|
||||
.Ic cert
|
||||
in use.
|
||||
If the OCSP response in
|
||||
.Ar file
|
||||
is empty, OCSP stapling will not be used.
|
||||
The default is to not use OCSP stapling.
|
||||
.It Ic root Pa directory
|
||||
Specify the root directory for this server
|
||||
.Pq alas the current Dq document root .
|
||||
|
|
25
gmid.c
25
gmid.c
|
@ -194,6 +194,20 @@ make_socket(int port, int family)
|
|||
return sock;
|
||||
}
|
||||
|
||||
static void
|
||||
add_keypair(struct vhost *h)
|
||||
{
|
||||
if (h->ocsp == NULL) {
|
||||
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
|
||||
fatal("failed to load the keypair (%s, %s)",
|
||||
h->cert, h->key);
|
||||
} else {
|
||||
if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, h->ocsp) == -1)
|
||||
fatal("failed to load the keypair (%s, %s, %s)",
|
||||
h->cert, h->key, h->ocsp);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
setup_tls(void)
|
||||
{
|
||||
|
@ -218,12 +232,13 @@ setup_tls(void)
|
|||
if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
|
||||
fatal("tls_config_set_keypair_file failed for (%s, %s)",
|
||||
h->cert, h->key);
|
||||
if (h->ocsp != NULL &&
|
||||
tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
|
||||
fatal("tls_config_set_ocsp_staple_file failed for (%s)",
|
||||
h->ocsp);
|
||||
|
||||
while ((h = TAILQ_NEXT(h, vhosts)) != NULL) {
|
||||
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
|
||||
fatal("failed to load the keypair (%s, %s)",
|
||||
h->cert, h->key);
|
||||
}
|
||||
while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
|
||||
add_keypair(h);
|
||||
|
||||
if (tls_configure(ctx, tlsconf) == -1)
|
||||
fatal("tls_configure: %s", tls_error(ctx));
|
||||
|
|
1
gmid.h
1
gmid.h
|
@ -118,6 +118,7 @@ struct vhost {
|
|||
const char *domain;
|
||||
const char *cert;
|
||||
const char *key;
|
||||
const char *ocsp;
|
||||
const char *cgi;
|
||||
const char *entrypoint;
|
||||
|
||||
|
|
7
parse.y
7
parse.y
|
@ -120,7 +120,7 @@ typedef struct {
|
|||
%token KEY
|
||||
%token LANG LOCATION LOG
|
||||
%token MAP MIME
|
||||
%token OFF ON
|
||||
%token OCSP OFF ON
|
||||
%token PARAM PORT PREFORK PROTOCOLS
|
||||
%token REQUIRE RETURN ROOT
|
||||
%token SERVER SPAWN STRIP
|
||||
|
@ -271,6 +271,10 @@ servopt : ALIAS string {
|
|||
only_once(host->key, "key");
|
||||
host->key = ensure_absolute_path($2);
|
||||
}
|
||||
| OCSP string {
|
||||
only_once(host->ocsp, "ocsp");
|
||||
host->ocsp = ensure_absolute_path($2);
|
||||
}
|
||||
| PARAM string '=' string {
|
||||
add_param($2, $4, 0);
|
||||
}
|
||||
|
@ -397,6 +401,7 @@ static struct keyword {
|
|||
{"log", LOG},
|
||||
{"map", MAP},
|
||||
{"mime", MIME},
|
||||
{"ocsp", OCSP},
|
||||
{"off", OFF},
|
||||
{"on", ON},
|
||||
{"param", PARAM},
|
||||
|
|
Loading…
Reference in New Issue