diff options
| author |   beck <beck@openbsd.org> | 2017-11-28 01:21:30 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2017-11-28 01:21:30 +0000 |
| commit | 5e7d9bbdb994b561a1e02f8f510d76554ec5b4db (patch) | |
| tree | 495436d23ddfbfaae1b7cd58846ec09dc4994758 | |
| parent | relay_load_fd() is no longer clobering errno in the error case so use (diff) | |
| download | wireguard-openbsd-5e7d9bbdb994b561a1e02f8f510d76554ec5b4db.tar.xz wireguard-openbsd-5e7d9bbdb994b561a1e02f8f510d76554ec5b4db.zip | |
Disable oscp stapling on invalid staple, rather than failing to start.
ok claudio@ florian@
| -rw-r--r-- | usr.sbin/httpd/httpd.conf.5 | 7 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 16 |
2 files changed, 18 insertions, 5 deletions
diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5 index a3c97629de3..825febaa304 100644 --- a/usr.sbin/httpd/httpd.conf.5 +++ b/usr.sbin/httpd/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.84 2017/08/11 20:30:45 jmc Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.85 2017/11/28 01:21:30 beck Exp $ .\" .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 11 2017 $ +.Dd $Mdocdate: November 28 2017 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -558,6 +558,9 @@ OCSP server for the .Ar certificate in use. The default is to not use OCSP stapling. +If the OSCP response in +.Ar file +is unparseable or empty OCSP stapling will not be used. .It Ic protocols Ar string Specify the TLS protocols to enable for this server. If not specified, the value diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 1a57d0be055..39ebcd0da1d 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.111 2017/08/11 18:48:56 jsing Exp $ */ +/* $OpenBSD: server.c,v 1.112 2017/11/28 01:21:30 beck Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -188,8 +188,18 @@ server_tls_load_ocsp(struct server *srv) if ((srv->srv_conf.tls_ocsp_staple = tls_load_file( srv->srv_conf.tls_ocsp_staple_file, - &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) - return (-1); + &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) { + log_warnx("%s: Failed to load ocsp staple from %s - ignoring", __func__, + srv->srv_conf.tls_ocsp_staple_file); + return (0); + } + + if (srv->srv_conf.tls_ocsp_staple_len == 0) { + log_warnx("%s: ignoring 0 length ocsp staple from %s", __func__, + srv->srv_conf.tls_ocsp_staple_file); + return (0); + } + log_debug("%s: using ocsp staple from %s", __func__, srv->srv_conf.tls_ocsp_staple_file); |