From: beck <beck@openbsd.org>
Date: Wed, 29 Nov 2017 16:55:08 +0000 (+0000)
Subject: Don't do OCSP stapling only if the staple file is 0 length.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=34538e77d08000dea9d2b297e58be7acd00022e4;p=openbsd

Don't do OCSP stapling only if the staple file is 0 length.

This allows something external (like ocspcheck) to disable the stapling
deliberatly if it can not retreive a valid staple by truncating the
staple file to indicate "do not provide a staple", while the file not
existin will still be treated as a configuration error
ok claudio@ florian@, and prompted by @jsing
---

diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5
index ad53df8cc97..4c2e69d5fdb 100644
--- a/usr.sbin/httpd/httpd.conf.5
+++ b/usr.sbin/httpd/httpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: httpd.conf.5,v 1.86 2017/11/28 09:40:46 jmc Exp $
+.\"	$OpenBSD: httpd.conf.5,v 1.87 2017/11/29 16:55:08 beck Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 28 2017 $
+.Dd $Mdocdate: November 29 2017 $
 .Dt HTTPD.CONF 5
 .Os
 .Sh NAME
@@ -560,7 +560,7 @@ in use.
 The default is to not use OCSP stapling.
 If the OSCP response in
 .Ar file
-is unparseable or empty, OCSP stapling will not be used.
+is empty, OCSP stapling will not be used.
 .It Ic protocols Ar string
 Specify the TLS protocols to enable for this server.
 If not specified, the value
diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c
index 39ebcd0da1d..2a505ace8de 100644
--- a/usr.sbin/httpd/server.c
+++ b/usr.sbin/httpd/server.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server.c,v 1.112 2017/11/28 01:21:30 beck Exp $	*/
+/*	$OpenBSD: server.c,v 1.113 2017/11/29 16:55:08 beck Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -189,9 +189,9 @@ server_tls_load_ocsp(struct server *srv)
 	if ((srv->srv_conf.tls_ocsp_staple = tls_load_file(
 	    srv->srv_conf.tls_ocsp_staple_file,
 	    &srv->srv_conf.tls_ocsp_staple_len, NULL)) == NULL) {
-		log_warnx("%s: Failed to load ocsp staple from %s - ignoring", __func__,
+		log_warnx("%s: Failed to load ocsp staple from %s", __func__,
 		    srv->srv_conf.tls_ocsp_staple_file);
-		return (0);
+		return (-1);
 	}
 
 	if (srv->srv_conf.tls_ocsp_staple_len == 0) {