OCSP stapling: check Content-Type.

This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...
This commit is contained in:
Maxim Dounin 2012-10-01 12:48:54 +00:00
parent 2bc96fc38b
commit a8c15d74c1

View file

@ -1425,6 +1425,7 @@ done:
static ngx_int_t
ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
{
size_t len;
ngx_int_t rc;
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
@ -1442,6 +1443,33 @@ ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
ctx->header_end - ctx->header_start,
ctx->header_start);
len = ctx->header_name_end - ctx->header_name_start;
if (len == sizeof("Content-Type") - 1
&& ngx_strncasecmp(ctx->header_name_start,
(u_char *) "Content-Type",
sizeof("Content-Type") - 1)
== 0)
{
len = ctx->header_end - ctx->header_start;
if (len != sizeof("application/ocsp-response") - 1
|| ngx_strncasecmp(ctx->header_start,
(u_char *) "application/ocsp-response",
sizeof("application/ocsp-response") - 1)
!= 0)
{
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP responder sent invalid "
"\"Content-Type\" header: \"%*s\"",
ctx->header_end - ctx->header_start,
ctx->header_start);
return NGX_ERROR;
}
continue;
}
/* TODO: honor Content-Length */
continue;