OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response from OCSP responder: ... OCSP responder sent invalid "Content-Type" header: "text/plain" while requesting certificate status, responder: ... vs. ... d2i_OCSP_RESPONSE() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error) while requesting certificate status, responder: ...
This commit is contained in:
parent
2bc96fc38b
commit
a8c15d74c1
1 changed files with 28 additions and 0 deletions
|
@ -1425,6 +1425,7 @@ done:
|
|||
static ngx_int_t
|
||||
ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
|
||||
{
|
||||
size_t len;
|
||||
ngx_int_t rc;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
|
||||
|
@ -1442,6 +1443,33 @@ ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
|
|||
ctx->header_end - ctx->header_start,
|
||||
ctx->header_start);
|
||||
|
||||
len = ctx->header_name_end - ctx->header_name_start;
|
||||
|
||||
if (len == sizeof("Content-Type") - 1
|
||||
&& ngx_strncasecmp(ctx->header_name_start,
|
||||
(u_char *) "Content-Type",
|
||||
sizeof("Content-Type") - 1)
|
||||
== 0)
|
||||
{
|
||||
len = ctx->header_end - ctx->header_start;
|
||||
|
||||
if (len != sizeof("application/ocsp-response") - 1
|
||||
|| ngx_strncasecmp(ctx->header_start,
|
||||
(u_char *) "application/ocsp-response",
|
||||
sizeof("application/ocsp-response") - 1)
|
||||
!= 0)
|
||||
{
|
||||
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
|
||||
"OCSP responder sent invalid "
|
||||
"\"Content-Type\" header: \"%*s\"",
|
||||
ctx->header_end - ctx->header_start,
|
||||
ctx->header_start);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
/* TODO: honor Content-Length */
|
||||
|
||||
continue;
|
||||
|
|
Loading…
Reference in a new issue