Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl.h @ 7899:8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".
When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 17:30:12 +0300 |
parents | 1ce3f01a4355 |
children | b56f725dd4bb |
comparison
equal
deleted
inserted
replaced
7898:7cffd81015e7 | 7899:8409f9df6219 |
---|---|
62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) | 62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) |
63 #define SSL_is_server(s) (s)->server | 63 #define SSL_is_server(s) (s)->server |
64 #endif | 64 #endif |
65 | 65 |
66 | 66 |
67 typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t; | |
68 | |
69 | |
67 struct ngx_ssl_s { | 70 struct ngx_ssl_s { |
68 SSL_CTX *ctx; | 71 SSL_CTX *ctx; |
69 ngx_log_t *log; | 72 ngx_log_t *log; |
70 size_t buffer_size; | 73 size_t buffer_size; |
71 }; | 74 }; |
84 ngx_ssl_session_t *session; | 87 ngx_ssl_session_t *session; |
85 ngx_connection_handler_pt save_session; | 88 ngx_connection_handler_pt save_session; |
86 | 89 |
87 ngx_event_handler_pt saved_read_handler; | 90 ngx_event_handler_pt saved_read_handler; |
88 ngx_event_handler_pt saved_write_handler; | 91 ngx_event_handler_pt saved_write_handler; |
92 | |
93 ngx_ssl_ocsp_t *ocsp; | |
89 | 94 |
90 u_char early_buf; | 95 u_char early_buf; |
91 | 96 |
92 unsigned handshaked:1; | 97 unsigned handshaked:1; |
93 unsigned renegotiation:1; | 98 unsigned renegotiation:1; |
95 unsigned no_wait_shutdown:1; | 100 unsigned no_wait_shutdown:1; |
96 unsigned no_send_shutdown:1; | 101 unsigned no_send_shutdown:1; |
97 unsigned handshake_buffer_set:1; | 102 unsigned handshake_buffer_set:1; |
98 unsigned try_early_data:1; | 103 unsigned try_early_data:1; |
99 unsigned in_early:1; | 104 unsigned in_early:1; |
105 unsigned in_ocsp:1; | |
100 unsigned early_preread:1; | 106 unsigned early_preread:1; |
101 unsigned write_blocked:1; | 107 unsigned write_blocked:1; |
102 }; | 108 }; |
103 | 109 |
104 | 110 |
178 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); | 184 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); |
179 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, | 185 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, |
180 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); | 186 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
181 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, | 187 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
182 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); | 188 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); |
189 ngx_int_t ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, | |
190 ngx_uint_t depth); | |
191 ngx_int_t ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, | |
192 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); | |
193 ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c); | |
194 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s); | |
195 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c); | |
183 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, | 196 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, |
184 int key_length); | 197 int key_length); |
185 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); | 198 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); |
186 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, | 199 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, |
187 ngx_array_t *passwords); | 200 ngx_array_t *passwords); |
279 | 292 |
280 extern int ngx_ssl_connection_index; | 293 extern int ngx_ssl_connection_index; |
281 extern int ngx_ssl_server_conf_index; | 294 extern int ngx_ssl_server_conf_index; |
282 extern int ngx_ssl_session_cache_index; | 295 extern int ngx_ssl_session_cache_index; |
283 extern int ngx_ssl_session_ticket_keys_index; | 296 extern int ngx_ssl_session_ticket_keys_index; |
297 extern int ngx_ssl_ocsp_index; | |
284 extern int ngx_ssl_certificate_index; | 298 extern int ngx_ssl_certificate_index; |
285 extern int ngx_ssl_next_certificate_index; | 299 extern int ngx_ssl_next_certificate_index; |
286 extern int ngx_ssl_certificate_name_index; | 300 extern int ngx_ssl_certificate_name_index; |
287 extern int ngx_ssl_stapling_index; | 301 extern int ngx_ssl_stapling_index; |
288 | 302 |