# Responder is running as a vhost.
#
url = "http://127.0.0.1/ocsp/"
+
+ #
+ # If the OCSP Responder can not cope with nonce
+ # in the request, then it can be disabled here.
+ #
+ # For security reasons, disabling this option
+ # is not recommended as nonce protects against
+ # replay attacks.
+ #
+ # Note that Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is
+ # more secure to enable nonce on the responder than
+ # to disable it in the query here.
+ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ #
+ # use_nonce = yes
}
}
offsetof(fr_tls_server_conf_t, ocsp_override_url), NULL, "no"},
{ "url", PW_TYPE_STRING_PTR,
offsetof(fr_tls_server_conf_t, ocsp_url), NULL, NULL },
+ { "use_nonce", PW_TYPE_BOOLEAN,
+ offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"},
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
#endif
certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
req = OCSP_REQUEST_new();
OCSP_request_add0_id(req, certid);
- OCSP_request_add1_nonce(req, NULL, 8);
+ if(conf->ocsp_use_nonce) {
+ OCSP_request_add1_nonce(req, NULL, 8);
+ }
/*
* Send OCSP Request and get OCSP Response
goto ocsp_end;
}
bresp = OCSP_response_get1_basic(resp);
- if(OCSP_check_nonce(req, bresp)!=1) {
+ if(conf->ocsp_use_nonce && OCSP_check_nonce(req, bresp)!=1) {
radlog(L_ERR, "Error: OCSP response has wrong nonce value");
goto ocsp_end;
}