Klaus Demo nginx / 872563a
OCSP stapling: check Content-Type. This will result in better error message in case of incorrect response from OCSP responder: ... OCSP responder sent invalid "Content-Type" header: "text/plain" while requesting certificate status, responder: ... vs. ... d2i_OCSP_RESPONSE() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error) while requesting certificate status, responder: ... Maxim Dounin 8 years ago
1 changed file(s) with 28 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
14241424 static ngx_int_t
14251425 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
14261426 {
1427 size_t len;
14271428 ngx_int_t rc;
14281429
14291430 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
14401441 ctx->header_name_start,
14411442 ctx->header_end - ctx->header_start,
14421443 ctx->header_start);
1444
1445 len = ctx->header_name_end - ctx->header_name_start;
1446
1447 if (len == sizeof("Content-Type") - 1
1448 && ngx_strncasecmp(ctx->header_name_start,
1449 (u_char *) "Content-Type",
1450 sizeof("Content-Type") - 1)
1451 == 0)
1452 {
1453 len = ctx->header_end - ctx->header_start;
1454
1455 if (len != sizeof("application/ocsp-response") - 1
1456 || ngx_strncasecmp(ctx->header_start,
1457 (u_char *) "application/ocsp-response",
1458 sizeof("application/ocsp-response") - 1)
1459 != 0)
1460 {
1461 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
1462 "OCSP responder sent invalid "
1463 "\"Content-Type\" header: \"%*s\"",
1464 ctx->header_end - ctx->header_start,
1465 ctx->header_start);
1466 return NGX_ERROR;
1467 }
1468
1469 continue;
1470 }
14431471
14441472 /* TODO: honor Content-Length */
14451473