override_cert_url = yes
#
- # If the OCSP Responder address is not
- # extracted from the certificate, the
- # URL can be defined here.
-
- #
- # Limitation: Currently the HTTP
- # Request is not sending the "Host: "
- # information to the web-server. This
- # can be a problem if the OCSP
- # Responder is running as a vhost.
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
#
url = "http://127.0.0.1/ocsp/"
char *host = NULL;
char *port = NULL;
char *path = NULL;
+ char hostheader[1024];
int use_ssl = -1;
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
BIO *cbio, *bio_out;
DEBUG2("[ocsp] --> Responder URL = http://%s:%s%s", host, port, path);
+ /* Check host and port length are sane, then create Host: HTTP header */
+ if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
+ ERROR("OCSP Host and port too long");
+ goto ocsp_skip;
+ }
+ snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
+
/* Setup BIO socket to OCSP responder */
cbio = BIO_new_connect(host);
goto ocsp_end;
}
- ctx = OCSP_sendreq_new(cbio, path, req, -1);
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
if (!ctx) {
- ERROR("Couldn't send OCSP request");
+ ERROR("Couldn't create OCSP request");
+ ocsp_ok = 2;
+ goto ocsp_end;
+ }
+
+ if (!OCSP_REQ_CTX_add1_header(ctx, "Host", hostheader)) {
+ ERROR("Couldn't set Host header");
+ ocsp_ok = 2;
+ goto ocsp_end;
+ }
+
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
+ ERROR("Couldn't add data to OCSP request");
ocsp_ok = 2;
goto ocsp_end;
}