GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Allow setting OCSP responses.

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2013-03-05 01:42:25 +01:00
parent 8ffe2f9d26
commit 6c54a37e69
6 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/config.c
View File

@@ -144,6 +144,7 @@ unsigned j;
READ_NUMERIC("dpd", config->dpd, 0); READ_NUMERIC("dpd", config->dpd, 0);
READ_NUMERIC("rate-limit-ms", config->rate_limit_ms, 10); READ_NUMERIC("rate-limit-ms", config->rate_limit_ms, 10);
READ_STRING("ocsp-response", config->cert, 0);
READ_STRING("server-cert", config->cert, 1); READ_STRING("server-cert", config->cert, 1);
READ_STRING("server-key", config->key, 1); READ_STRING("server-key", config->key, 1);
READ_STRING("pin-file", config->pin_file, 0); READ_STRING("pin-file", config->pin_file, 0);
@@ -326,6 +327,7 @@ unsigned i;
DEL(config->xml_config_hash); DEL(config->xml_config_hash);
DEL(config->cert_hash); DEL(config->cert_hash);
#endif #endif
DEL(config->ocsp_response);
DEL(config->banner); DEL(config->banner);
DEL(config->name); DEL(config->name);
DEL(config->cert); DEL(config->cert);

2
src/ocserv-args.c
View File

@@ -2,7 +2,7 @@
* *
* DO NOT EDIT THIS FILE (ocserv-args.c) * DO NOT EDIT THIS FILE (ocserv-args.c)
* *
* It has been AutoGen-ed March 4, 2013 at 08:45:35 PM by AutoGen 5.16 * It has been AutoGen-ed March 5, 2013 at 01:41:50 AM by AutoGen 5.16
* From the definitions ocserv-args.def * From the definitions ocserv-args.def
* and the template file options * and the template file options
* *

9
src/ocserv-args.def
View File

@@ -118,6 +118,15 @@ try-mtu-discovery = false
server-cert = /path/to/cert.pem server-cert = /path/to/cert.pem
server-key = /path/to/key.pem server-key = /path/to/key.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available # In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the # in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key. # storage root key.

2
src/ocserv-args.h
View File

@@ -2,7 +2,7 @@
* *
* DO NOT EDIT THIS FILE (ocserv-args.h) * DO NOT EDIT THIS FILE (ocserv-args.h)
* *
* It has been AutoGen-ed March 4, 2013 at 08:45:35 PM by AutoGen 5.16 * It has been AutoGen-ed March 5, 2013 at 01:41:50 AM by AutoGen 5.16
* From the definitions ocserv-args.def * From the definitions ocserv-args.def
* and the template file options * and the template file options
* *

5
src/tlslib.c
View File

@@ -427,6 +427,11 @@ const char* perr;
mslog(s, NULL, LOG_ERR, "error in TLS priority string: %s\n", perr); mslog(s, NULL, LOG_ERR, "error in TLS priority string: %s\n", perr);
GNUTLS_FATAL_ERR(ret); GNUTLS_FATAL_ERR(ret);
if (s->config->ocsp_response != NULL) {
ret = gnutls_certificate_set_ocsp_status_request_file(s->creds.xcred,
s->config->ocsp_response, 0);
GNUTLS_FATAL_ERR(ret);
}
return; return;
} }

1
src/vpn.h
View File

@@ -71,6 +71,7 @@ struct cfg_st {
char *priorities; char *priorities;
char *chroot_dir; /* where the xml files are served from */ char *chroot_dir; /* where the xml files are served from */
char *banner; char *banner;
char *ocsp_response; /* file with the OCSP response */
time_t cookie_validity; /* in seconds */ time_t cookie_validity; /* in seconds */
time_t min_reauth_time; /* after a failed auth, how soon one can reauthenticate -> in seconds */ time_t min_reauth_time; /* after a failed auth, how soon one can reauthenticate -> in seconds */
unsigned auth_timeout; /* timeout of HTTP auth */ unsigned auth_timeout; /* timeout of HTTP auth */