Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4876:1a008f968f6d
OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:
... OCSP responder sent invalid "Content-Type" header: "text/plain"
while requesting certificate status, responder: ...
vs.
... d2i_OCSP_RESPONSE() failed (SSL:
error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
while requesting certificate status, responder: ...
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 01 Oct 2012 12:48:54 +0000 |
| parents | 386a06a22c40 |
| children | 695cc88ad649 |
comparison
equal
deleted
inserted
replaced
| 4875:386a06a22c40 | 4876:1a008f968f6d |
|---|---|
| 1423 | 1423 |
| 1424 | 1424 |
| 1425 static ngx_int_t | 1425 static ngx_int_t |
| 1426 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) | 1426 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
| 1427 { | 1427 { |
| 1428 size_t len; | |
| 1428 ngx_int_t rc; | 1429 ngx_int_t rc; |
| 1429 | 1430 |
| 1430 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 1431 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
| 1431 "ssl ocsp process headers"); | 1432 "ssl ocsp process headers"); |
| 1432 | 1433 |
| 1439 "ssl ocsp header \"%*s: %*s\"", | 1440 "ssl ocsp header \"%*s: %*s\"", |
| 1440 ctx->header_name_end - ctx->header_name_start, | 1441 ctx->header_name_end - ctx->header_name_start, |
| 1441 ctx->header_name_start, | 1442 ctx->header_name_start, |
| 1442 ctx->header_end - ctx->header_start, | 1443 ctx->header_end - ctx->header_start, |
| 1443 ctx->header_start); | 1444 ctx->header_start); |
| 1445 | |
| 1446 len = ctx->header_name_end - ctx->header_name_start; | |
| 1447 | |
| 1448 if (len == sizeof("Content-Type") - 1 | |
| 1449 && ngx_strncasecmp(ctx->header_name_start, | |
| 1450 (u_char *) "Content-Type", | |
| 1451 sizeof("Content-Type") - 1) | |
| 1452 == 0) | |
| 1453 { | |
| 1454 len = ctx->header_end - ctx->header_start; | |
| 1455 | |
| 1456 if (len != sizeof("application/ocsp-response") - 1 | |
| 1457 || ngx_strncasecmp(ctx->header_start, | |
| 1458 (u_char *) "application/ocsp-response", | |
| 1459 sizeof("application/ocsp-response") - 1) | |
| 1460 != 0) | |
| 1461 { | |
| 1462 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | |
| 1463 "OCSP responder sent invalid " | |
| 1464 "\"Content-Type\" header: \"%*s\"", | |
| 1465 ctx->header_end - ctx->header_start, | |
| 1466 ctx->header_start); | |
| 1467 return NGX_ERROR; | |
| 1468 } | |
| 1469 | |
| 1470 continue; | |
| 1471 } | |
| 1444 | 1472 |
| 1445 /* TODO: honor Content-Length */ | 1473 /* TODO: honor Content-Length */ |
| 1446 | 1474 |
| 1447 continue; | 1475 continue; |
| 1448 } | 1476 } |