Add option to be able to disable nonce in OCSP request

Some OCSP responders cannot cope with an OCSP request if nonce
is used so this gives a way to allow freeradius to work with them.

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 71aa702..26195d5 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -443,6 +443,22 @@
                              #  Responder is running as a vhost.
                              #
                              url = "http://127.0.0.1/ocsp/"
+
+                             #
+                             # If the OCSP Responder can not cope with nonce
+                             # in the request, then it can be disabled here.
+                             #
+                             # For security reasons, disabling this option
+                             # is not recommended as nonce protects against
+                             # replay attacks.
+                             #
+                             # Note that Microsoft AD Certificate Services OCSP
+                             # Responder does not enable nonce by default. It is
+                             # more secure to enable nonce on the responder than
+                             # to disable it in the query here.
+                             # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+                             #
+                             # use_nonce = yes
                        }
                }
 

diff --git a/src/include/tls.h b/src/include/tls.h
index c34ea0b..2e88383 100644 (file)
--- a/src/include/tls.h
+++ b/src/include/tls.h
@@ -374,6 +374,7 @@ struct fr_tls_server_conf_t {
        int             ocsp_enable;
        int             ocsp_override_url;
        char            *ocsp_url;
+       int             ocsp_use_nonce;
        X509_STORE      *ocsp_store;
 #endif
 

diff --git a/src/main/tls.c b/src/main/tls.c
index f33841d..c975758 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -779,6 +779,8 @@ static CONF_PARSER ocsp_config[] = {
          offsetof(fr_tls_server_conf_t, ocsp_override_url), NULL, "no"},
        { "url", PW_TYPE_STRING_PTR,
          offsetof(fr_tls_server_conf_t, ocsp_url), NULL, NULL },
+       { "use_nonce", PW_TYPE_BOOLEAN,
+         offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"},
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 #endif
@@ -1074,7 +1076,9 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
        certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
        req = OCSP_REQUEST_new();
        OCSP_request_add0_id(req, certid);
-       OCSP_request_add1_nonce(req, NULL, 8);
+       if(conf->ocsp_use_nonce) {
+               OCSP_request_add1_nonce(req, NULL, 8);
+       }
 
        /*
         * Send OCSP Request and get OCSP Response
@@ -1113,7 +1117,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
                goto ocsp_end;
        }
        bresp = OCSP_response_get1_basic(resp);
-       if(OCSP_check_nonce(req, bresp)!=1) {
+       if(conf->ocsp_use_nonce && OCSP_check_nonce(req, bresp)!=1) {
                radlog(L_ERR, "Error: OCSP response has wrong nonce value");
                goto ocsp_end;
        }