-.\" $OpenBSD: httpd.conf.5,v 1.84 2017/08/11 20:30:45 jmc Exp $
+.\" $OpenBSD: httpd.conf.5,v 1.85 2017/11/28 01:21:30 beck Exp $
.\"
.\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: August 11 2017 $
+.Dd $Mdocdate: November 28 2017 $
.Dt HTTPD.CONF 5
.Os
.Sh NAME
.Ar certificate
in use.
The default is to not use OCSP stapling.
+If the OSCP response in
+.Ar file
+is unparseable or empty OCSP stapling will not be used.
.It Ic protocols Ar string
Specify the TLS protocols to enable for this server.
If not specified, the value
-/* $OpenBSD: server.c,v 1.111 2017/08/11 18:48:56 jsing Exp $ */
+/* $OpenBSD: server.c,v 1.112 2017/11/28 01:21:30 beck Exp $ */
/*
* Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
if ((srv->srv_conf.tls_ocsp_staple = tls_load_file(
srv->srv_conf.tls_ocsp_staple_file,
- &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL)
- return (-1);
+ &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) {
+ log_warnx("%s: Failed to load ocsp staple from %s - ignoring", __func__,
+ srv->srv_conf.tls_ocsp_staple_file);
+ return (0);
+ }
+
+ if (srv->srv_conf.tls_ocsp_staple_len == 0) {
+ log_warnx("%s: ignoring 0 length ocsp staple from %s", __func__,
+ srv->srv_conf.tls_ocsp_staple_file);
+ return (0);
+ }
+
log_debug("%s: using ocsp staple from %s", __func__,
srv->srv_conf.tls_ocsp_staple_file);
projects / openbsd / commitdiff