Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4876:1a008f968f6d
OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:
... OCSP responder sent invalid "Content-Type" header: "text/plain"
while requesting certificate status, responder: ...
vs.
... d2i_OCSP_RESPONSE() failed (SSL:
error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
while requesting certificate status, responder: ...
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:48:54 +0000 |
parents | 386a06a22c40 |
children | 695cc88ad649 |
comparison
equal
deleted
inserted
replaced
4875:386a06a22c40 | 4876:1a008f968f6d |
---|---|
1423 | 1423 |
1424 | 1424 |
1425 static ngx_int_t | 1425 static ngx_int_t |
1426 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) | 1426 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
1427 { | 1427 { |
1428 size_t len; | |
1428 ngx_int_t rc; | 1429 ngx_int_t rc; |
1429 | 1430 |
1430 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 1431 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
1431 "ssl ocsp process headers"); | 1432 "ssl ocsp process headers"); |
1432 | 1433 |
1439 "ssl ocsp header \"%*s: %*s\"", | 1440 "ssl ocsp header \"%*s: %*s\"", |
1440 ctx->header_name_end - ctx->header_name_start, | 1441 ctx->header_name_end - ctx->header_name_start, |
1441 ctx->header_name_start, | 1442 ctx->header_name_start, |
1442 ctx->header_end - ctx->header_start, | 1443 ctx->header_end - ctx->header_start, |
1443 ctx->header_start); | 1444 ctx->header_start); |
1445 | |
1446 len = ctx->header_name_end - ctx->header_name_start; | |
1447 | |
1448 if (len == sizeof("Content-Type") - 1 | |
1449 && ngx_strncasecmp(ctx->header_name_start, | |
1450 (u_char *) "Content-Type", | |
1451 sizeof("Content-Type") - 1) | |
1452 == 0) | |
1453 { | |
1454 len = ctx->header_end - ctx->header_start; | |
1455 | |
1456 if (len != sizeof("application/ocsp-response") - 1 | |
1457 || ngx_strncasecmp(ctx->header_start, | |
1458 (u_char *) "application/ocsp-response", | |
1459 sizeof("application/ocsp-response") - 1) | |
1460 != 0) | |
1461 { | |
1462 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | |
1463 "OCSP responder sent invalid " | |
1464 "\"Content-Type\" header: \"%*s\"", | |
1465 ctx->header_end - ctx->header_start, | |
1466 ctx->header_start); | |
1467 return NGX_ERROR; | |
1468 } | |
1469 | |
1470 continue; | |
1471 } | |
1444 | 1472 |
1445 /* TODO: honor Content-Length */ | 1473 /* TODO: honor Content-Length */ |
1446 | 1474 |
1447 continue; | 1475 continue; |
1448 } | 1476 } |