Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Settings to verify OCSP stapling response (if received any) for client connections #2895

Closed
wants to merge 1 commit into from
Closed

Settings to verify OCSP stapling response (if received any) for client connections #2895

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 15 additions & 2 deletions NetSSL_OpenSSL/include/Poco/Net/Context.h
View file
Open in desktop
Expand Up @@ -155,7 +155,11 @@ class NetSSL_API Context: public Poco::RefCountedObject
bool loadDefaultCAs;
/// Specifies whether the builtin CA certificates from OpenSSL are used.
/// Defaults to false.


bool ocspStaplingVerification;
/// Specifies whether Client should verify OCSP Response
/// Defaults to false.

std::string cipherList;
/// Specifies the supported ciphers in OpenSSL notation.
/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
Expand Down Expand Up @@ -371,7 +375,11 @@ class NetSSL_API Context: public Poco::RefCountedObject
/// When choosing a cipher, use the server's preferences instead of the client
/// preferences. When not called, the SSL server will always follow the clients
/// preferences. When called, the SSL/TLS server will choose following its own
/// preferences.
/// preferences.

bool ocspStaplingResponseVerificationEnabled() const;
/// Returns true if automatic OCSP response
/// reception and verification is enabled for client connections

private:
void init(const Params& params);
Expand All @@ -391,6 +399,7 @@ class NetSSL_API Context: public Poco::RefCountedObject
VerificationMode _mode;
SSL_CTX* _pSSLContext;
bool _extendedCertificateVerification;
bool _ocspStaplingResponseVerification;
};


Expand Down Expand Up @@ -429,6 +438,10 @@ inline bool Context::extendedCertificateVerificationEnabled() const
return _extendedCertificateVerification;
}

inline bool Context::ocspStaplingResponseVerificationEnabled() const
{
return _ocspStaplingResponseVerification;
}

} } // namespace Poco::Net

Expand Down
5 changes: 5 additions & 0 deletions NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
View file
Open in desktop
Expand Up @@ -278,6 +278,11 @@ class NetSSL_API SSLManager
/// Throws a InvalidStateException if not application instance
/// is available.

static int verifyOCSPResponse(SSL *s, void *arg);
/// The return value of this method defines how errors in
/// verification are handled. Return 0 to terminate the handshake,
/// or 1 to continue .

private:
SSLManager();
/// Creates the SSLManager.
Expand Down
15 changes: 12 additions & 3 deletions NetSSL_OpenSSL/src/Context.cpp
View file
Open in desktop
Expand Up @@ -34,6 +34,7 @@ Context::Params::Params():
verificationMode(VERIFY_RELAXED),
verificationDepth(9),
loadDefaultCAs(false),
ocspStaplingVerification(false),
cipherList("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")
{
}
Expand All @@ -43,7 +44,8 @@ Context::Context(Usage usage, const Params& params):
_usage(usage),
_mode(params.verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
init(params);
}
Expand All @@ -61,7 +63,8 @@ Context::Context(
_usage(usage),
_mode(verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
Params params;
params.privateKeyFile = privateKeyFile;
Expand All @@ -85,7 +88,8 @@ Context::Context(
_usage(usage),
_mode(verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
Params params;
params.caLocation = caLocation;
Expand Down Expand Up @@ -174,6 +178,11 @@ void Context::init(const Params& params)
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);

if (!isForServerUse() && params.ocspStaplingVerification){
_ocspStaplingResponseVerification = true;
SSL_CTX_set_tlsext_status_cb(_pSSLContext, &SSLManager::verifyOCSPResponse);
}

initDH(params.dhParamsFile);
initECDH(params.ecdhCurve);
}
Expand Down
18 changes: 18 additions & 0 deletions NetSSL_OpenSSL/src/SSLManager.cpp
View file
Open in desktop
Expand Up @@ -25,6 +25,8 @@
#include "Poco/Util/Application.h"
#include "Poco/Util/OptionException.h"

#include <openssl/ocsp.h>
#include <openssl/tls1.h>

namespace Poco {
namespace Net {
Expand Down Expand Up @@ -234,7 +236,23 @@ int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int /*flag*/,
return size;
}

int SSLManager::verifyOCSPResponse(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
if (p == NULL) {
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (rsp == NULL) {
return 0;
}
OCSP_RESPONSE_free(rsp);
return 1;

}
void SSLManager::initDefaultContext(bool server)
{
if (server && _ptrDefaultServerContext) return;
Expand Down
3 changes: 3 additions & 0 deletions NetSSL_OpenSSL/src/SecureSocketImpl.cpp
View file
Open in desktop
Expand Up @@ -163,6 +163,9 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
SSL_set_tlsext_host_name(_pSSL, _peerHostName.c_str());
}
#endif

if(_pContext->ocspStaplingResponseVerificationEnabled())
SSL_set_tlsext_status_type(_pSSL, TLSEXT_STATUSTYPE_ocsp);

if (_pSession)
{
Expand Down