mod_ssl OCSP tuning (Re: T&R of 2.3.10)

Sun, 12 Dec 2010 01:29:36 -0800 

On 11.12.2010 20:27, Jim Jagielski wrote:
> I've heard no objections, so on monday (12/13) I'll start
> the T&R.

Is there any chance that the attached patch might make it into
2.3.10? It includes two OCSP related changes for mod_ssl:

- addresses https://issues.apache.org/bugzilla/show_bug.cgi?id=49784
  by adding two config directives (SSLOCSPResponseTimeSkew and
  SSLOCSPResponseMaxAge) and defining new default values

- prevents mod_ssl from doing unnecessary OCSP checks
  (valid self-issued certs, i.e. trust anchors configured through
  SSLCACertificate{File,Path})

Note that mod_ssl's current hardcoded OCSP defaults for the time skew
(60 seconds) and the max age (360 seconds) are quite aggressive -
especially the latter one. As PR 49784 illustrates, real-world OCSP
responses often have a validity of one or more days, and are not updated
at 5-minute intervals. I therefore suggest to default to -1 for the max
age, and to 300 seconds for the time skew - this also matches the
defaults which are currently applied in mod_ssl's OCSP stapling code.

Kaspar

Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h   (revision 1044771)
+++ modules/ssl/ssl_private.h   (working copy)
@@ -179,6 +179,11 @@
 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
 #endif
 
+/* Default for OCSP response validity */
+#ifndef OCSP_MAX_SKEW
+#define OCSP_MAX_SKEW (60 * 5)
+#endif
+
 /**
  * Support for MM library
  */
@@ -516,6 +521,8 @@
     BOOL ocsp_force_default; /* true if the default responder URL is
                               * used regardless of per-cert URL */
     const char *ocsp_responder; /* default responder URL */
+    long ocsp_resptime_skew;
+    long ocsp_resp_maxage;
 
 } modssl_ctx_t;
 
@@ -620,6 +627,8 @@
 
 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int 
flag);
 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const 
char *arg);
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const 
char *arg);
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const 
char *arg);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c       (revision 1044771)
+++ modules/ssl/mod_ssl.c       (working copy)
@@ -197,6 +197,10 @@
                "URL of the default OCSP Responder")
     SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
                "Force use of the default responder URL ('on', 'off')")
+    SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+                "Maximum time difference in OCSP responses")
+    SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+                "Maximum age of OCSP responses")
 
 #ifdef HAVE_OCSP_STAPLING
     /*
Index: modules/ssl/ssl_engine_ocsp.c
===================================================================
--- modules/ssl/ssl_engine_ocsp.c       (revision 1044771)
+++ modules/ssl/ssl_engine_ocsp.c       (working copy)
@@ -205,15 +205,16 @@
             rc = status;
         }
 
-        /* TODO: make these configurable. */
-#define MAX_SKEW (60)
-#define MAX_AGE (360)
-
         /* Check whether the response is inside the defined validity
          * period; otherwise fail.  */
         if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
-            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
-            
+            long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
+                                 OCSP_MAX_SKEW : 
sc->server->ocsp_resptime_skew;
+            /* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
+             * that responses can be of any age as long as nextup is in the
+             * future. */
+            int vrc  = OCSP_check_validity(thisup, nextup, resptime_skew,
+                                           sc->server->ocsp_resp_maxage);
             if (vrc != 1) {
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
                 ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert,
@@ -251,6 +252,12 @@
     apr_pool_t *vpool;
     int rv;
     
+    /* don't do OCSP checking for valid self-issued certs */
+    if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+        X509_STORE_CTX_set_error(ctx, X509_V_OK);
+        return 1;
+    }
+
     /* Create a temporary pool to constrain memory use (the passed-in
      * pool may be e.g. a connection pool). */
     apr_pool_create(&vpool, pool);
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c     (revision 1044771)
+++ modules/ssl/ssl_engine_config.c     (working copy)
@@ -130,6 +130,8 @@
     mctx->ocsp_enabled        = FALSE;
     mctx->ocsp_force_default  = FALSE;
     mctx->ocsp_responder      = NULL;
+    mctx->ocsp_resptime_skew  = UNSET;
+    mctx->ocsp_resp_maxage    = UNSET;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled                   = UNSET;
@@ -1442,6 +1444,26 @@
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const 
char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resptime_skew = atoi(arg);
+    if (sc->server->ocsp_resptime_skew < 0) {
+        return "SSLOCSPResponseTimeSkew: invalid argument";
+    }
+    return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const 
char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resp_maxage = atoi(arg);
+    if (sc->server->ocsp_resp_maxage < 0) {
+        return "SSLOCSPResponseMaxAge: invalid argument";
+    }
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int 
flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
Index: docs/manual/mod/mod_ssl.xml
===================================================================
--- docs/manual/mod/mod_ssl.xml (revision 1044771)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -1837,6 +1837,38 @@
 </directivesynopsis>
 
 <directivesynopsis>
+<name>SSLOCSPResponseTimeSkew</name>
+<description>Maximum allowable time skew for OCSP response 
validation</description>
+<syntax>SSLOCSPResponseTimeSkew <em>seconds</em></syntax>
+<default>SSLOCSPResponseTimeSkew 300</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or 
later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable time skew for OCSP responses
+(when checking their <code>thisUpdate</code> and <code>nextUpdate</code> 
fields).</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponseMaxAge</name>
+<description>Maximum allowable age for OCSP responses</description>
+<syntax>SSLOCSPResponseMaxAge <em>seconds</em></syntax>
+<default>SSLOCSPResponseMaxAge -1</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or 
later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable age ("freshness") for OCSP responses.
+The default value (<code>-1</code>) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+<code>nextUpdate</code> field is in the future.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>
 <syntax>SSLInsecureRenegotiation <em>flag</em></syntax>

Reply via email to