nghttpx: Add --no-verify-ocsp to disable OCSP response verification

gennghttpxfun.py

@@ -167,6 +167,7 @@ OPTIONS = [
     "no-add-x-forwarded-proto",
     "no-strip-incoming-x-forwarded-proto",
     "ocsp-startup",
+    "no-verify-ocsp",
 ]
 
 LOGVARS = [

src/shrpx.cc

@@ -2240,6 +2240,8 @@ SSL/TLS:
               the  attempts  fail.  This  feature  is  useful if  OCSP
               responses   must    be   available    before   accepting
               connections.
+  --no-verify-ocsp
+              nghttpx does not verify OCSP response.
   --no-ocsp   Disable OCSP stapling.
   --tls-session-cache-memcached=<HOST>,<PORT>[;tls]
               Specify  address of  memcached server  to store  session
@@ -3191,6 +3193,7 @@ int main(int argc, char **argv) {
         {SHRPX_OPT_BACKEND_NO_TLS.c_str(), no_argument, &flag, 27},
         {SHRPX_OPT_OCSP_STARTUP.c_str(), no_argument, &flag, 28},
         {SHRPX_OPT_FRONTEND_NO_TLS.c_str(), no_argument, &flag, 29},
+        {SHRPX_OPT_NO_VERIFY_OCSP.c_str(), no_argument, &flag, 30},
         {SHRPX_OPT_BACKEND_TLS_SNI_FIELD.c_str(), required_argument, &flag, 31},
         {SHRPX_OPT_DH_PARAM_FILE.c_str(), required_argument, &flag, 33},
         {SHRPX_OPT_READ_RATE.c_str(), required_argument, &flag, 34},
@@ -3550,6 +3553,11 @@ int main(int argc, char **argv) {
         cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_NO_TLS,
                              StringRef::from_lit("yes"));
         break;
+      case 30:
+        // --no-verify-ocsp
+        cmdcfgs.emplace_back(SHRPX_OPT_NO_VERIFY_OCSP,
+                             StringRef::from_lit("yes"));
+        break;
       case 31:
         // --backend-tls-sni-field
         cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_TLS_SNI_FIELD,

src/shrpx_config.cc

@@ -1651,6 +1651,11 @@ int option_lookup_token(const char *name, size_t namelen) {
         return SHRPX_OPTID_NO_SERVER_PUSH;
       }
       break;
+    case 'p':
+      if (util::strieq_l("no-verify-ocs", name, 13)) {
+        return SHRPX_OPTID_NO_VERIFY_OCSP;
+      }
+      break;
     case 's':
       if (util::strieq_l("backend-no-tl", name, 13)) {
         return SHRPX_OPTID_BACKEND_NO_TLS;
@@ -3429,6 +3434,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
   case SHRPX_OPTID_OCSP_STARTUP:
     config->tls.ocsp.startup = util::strieq_l("yes", optarg);
 
+    return 0;
+  case SHRPX_OPTID_NO_VERIFY_OCSP:
+    config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
+
     return 0;
   case SHRPX_OPTID_CONF:
     LOG(WARN) << "conf: ignored";

src/shrpx_config.h

@@ -342,6 +342,7 @@ constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO =
 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
     StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
+constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
 
 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
 
@@ -563,6 +564,7 @@ struct TLSConfig {
     StringRef fetch_ocsp_response_file;
     bool disabled;
     bool startup;
+    bool no_verify;
   } ocsp;
 
   // Client verification configurations
@@ -1045,6 +1047,7 @@ enum {
   SHRPX_OPTID_NO_SERVER_PUSH,
   SHRPX_OPTID_NO_SERVER_REWRITE,
   SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
+  SHRPX_OPTID_NO_VERIFY_OCSP,
   SHRPX_OPTID_NO_VIA,
   SHRPX_OPTID_NPN_LIST,
   SHRPX_OPTID_OCSP_STARTUP,

src/shrpx_connection_handler.cc

@@ -620,7 +620,11 @@ void ConnectionHandler::handle_ocsp_complete() {
               << " finished successfully";
   }
 
-  if (tls::verify_ocsp_response(ssl_ctx, ocsp_.resp.data(),
+  auto config = get_config();
+  auto &tlsconf = config->tls;
+
+  if (tlsconf.ocsp.no_verify ||
+      tls::verify_ocsp_response(ssl_ctx, ocsp_.resp.data(),
                                 ocsp_.resp.size()) == 0) {
 #ifndef OPENSSL_IS_BORINGSSL
 #ifdef HAVE_ATOMIC_STD_SHARED_PTR