mirror of https://github.com/omar-polo/gmid.git
Implement OCSP stapling support
Currently dogfooding this patch at gemini.sgregoratto.me. To test, run the following command and look for the "OCSP response" header: openssl s_client -connect "gemini.sgregoratto.me:1965" -status
This commit is contained in:
parent
387b976b99
commit
ff05125eb8
13
gmid.1
13
gmid.1
|
@ -412,6 +412,19 @@ Set the param
|
||||||
to
|
to
|
||||||
.Ar value
|
.Ar value
|
||||||
for FastCGI.
|
for FastCGI.
|
||||||
|
.It Ic ocsp Ar file
|
||||||
|
Specify an OCSP response to be stapled during TLS handshakes
|
||||||
|
with this server.
|
||||||
|
The
|
||||||
|
.Ar file
|
||||||
|
should contain a DER-format OCSP response retrieved from an
|
||||||
|
OCSP server for the
|
||||||
|
.Ic cert
|
||||||
|
in use.
|
||||||
|
If the OCSP response in
|
||||||
|
.Ar file
|
||||||
|
is empty, OCSP stapling will not be used.
|
||||||
|
The default is to not use OCSP stapling.
|
||||||
.It Ic root Pa directory
|
.It Ic root Pa directory
|
||||||
Specify the root directory for this server
|
Specify the root directory for this server
|
||||||
.Pq alas the current Dq document root .
|
.Pq alas the current Dq document root .
|
||||||
|
|
25
gmid.c
25
gmid.c
|
@ -194,6 +194,20 @@ make_socket(int port, int family)
|
||||||
return sock;
|
return sock;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
add_keypair(struct vhost *h)
|
||||||
|
{
|
||||||
|
if (h->ocsp == NULL) {
|
||||||
|
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
|
||||||
|
fatal("failed to load the keypair (%s, %s)",
|
||||||
|
h->cert, h->key);
|
||||||
|
} else {
|
||||||
|
if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, h->ocsp) == -1)
|
||||||
|
fatal("failed to load the keypair (%s, %s, %s)",
|
||||||
|
h->cert, h->key, h->ocsp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
setup_tls(void)
|
setup_tls(void)
|
||||||
{
|
{
|
||||||
|
@ -218,12 +232,13 @@ setup_tls(void)
|
||||||
if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
|
if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
|
||||||
fatal("tls_config_set_keypair_file failed for (%s, %s)",
|
fatal("tls_config_set_keypair_file failed for (%s, %s)",
|
||||||
h->cert, h->key);
|
h->cert, h->key);
|
||||||
|
if (h->ocsp != NULL &&
|
||||||
|
tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
|
||||||
|
fatal("tls_config_set_ocsp_staple_file failed for (%s)",
|
||||||
|
h->ocsp);
|
||||||
|
|
||||||
while ((h = TAILQ_NEXT(h, vhosts)) != NULL) {
|
while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
|
||||||
if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
|
add_keypair(h);
|
||||||
fatal("failed to load the keypair (%s, %s)",
|
|
||||||
h->cert, h->key);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (tls_configure(ctx, tlsconf) == -1)
|
if (tls_configure(ctx, tlsconf) == -1)
|
||||||
fatal("tls_configure: %s", tls_error(ctx));
|
fatal("tls_configure: %s", tls_error(ctx));
|
||||||
|
|
1
gmid.h
1
gmid.h
|
@ -118,6 +118,7 @@ struct vhost {
|
||||||
const char *domain;
|
const char *domain;
|
||||||
const char *cert;
|
const char *cert;
|
||||||
const char *key;
|
const char *key;
|
||||||
|
const char *ocsp;
|
||||||
const char *cgi;
|
const char *cgi;
|
||||||
const char *entrypoint;
|
const char *entrypoint;
|
||||||
|
|
||||||
|
|
7
parse.y
7
parse.y
|
@ -120,7 +120,7 @@ typedef struct {
|
||||||
%token KEY
|
%token KEY
|
||||||
%token LANG LOCATION LOG
|
%token LANG LOCATION LOG
|
||||||
%token MAP MIME
|
%token MAP MIME
|
||||||
%token OFF ON
|
%token OCSP OFF ON
|
||||||
%token PARAM PORT PREFORK PROTOCOLS
|
%token PARAM PORT PREFORK PROTOCOLS
|
||||||
%token REQUIRE RETURN ROOT
|
%token REQUIRE RETURN ROOT
|
||||||
%token SERVER SPAWN STRIP
|
%token SERVER SPAWN STRIP
|
||||||
|
@ -271,6 +271,10 @@ servopt : ALIAS string {
|
||||||
only_once(host->key, "key");
|
only_once(host->key, "key");
|
||||||
host->key = ensure_absolute_path($2);
|
host->key = ensure_absolute_path($2);
|
||||||
}
|
}
|
||||||
|
| OCSP string {
|
||||||
|
only_once(host->ocsp, "ocsp");
|
||||||
|
host->ocsp = ensure_absolute_path($2);
|
||||||
|
}
|
||||||
| PARAM string '=' string {
|
| PARAM string '=' string {
|
||||||
add_param($2, $4, 0);
|
add_param($2, $4, 0);
|
||||||
}
|
}
|
||||||
|
@ -397,6 +401,7 @@ static struct keyword {
|
||||||
{"log", LOG},
|
{"log", LOG},
|
||||||
{"map", MAP},
|
{"map", MAP},
|
||||||
{"mime", MIME},
|
{"mime", MIME},
|
||||||
|
{"ocsp", OCSP},
|
||||||
{"off", OFF},
|
{"off", OFF},
|
||||||
{"on", ON},
|
{"on", ON},
|
||||||
{"param", PARAM},
|
{"param", PARAM},
|
||||||
|
|
Loading…
Reference in New Issue