Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 4872:7c3cca603438

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: ssl_trusted_certificate directive. The directive allows to specify additional trusted Certificate Authority certificates to be used during certificate verification. In contrast to ssl_client_certificate DNs of these cerificates aren't sent to a client during handshake. Trusted certificates are loaded regardless of the fact whether client certificates verification is enabled as the same certificates will be used for OCSP stapling, during construction of an OCSP request and for verification of an OCSP response. The same applies to a CRL (which is now always loaded).
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 01 Oct 2012 12:39:36 +0000
parents d620f497c50f
children dd74fd35ceb5
comparison
equal deleted inserted replaced
4871:c85cefbdaafe 4872:7c3cca603438
120 { ngx_string("ssl_client_certificate"), 120 { ngx_string("ssl_client_certificate"),
121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, 121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
122 ngx_conf_set_str_slot, 122 ngx_conf_set_str_slot,
123 NGX_HTTP_SRV_CONF_OFFSET, 123 NGX_HTTP_SRV_CONF_OFFSET,
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), 124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
125 NULL },
126
127 { ngx_string("ssl_trusted_certificate"),
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
129 ngx_conf_set_str_slot,
130 NGX_HTTP_SRV_CONF_OFFSET,
131 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
125 NULL }, 132 NULL },
126 133
127 { ngx_string("ssl_prefer_server_ciphers"), 134 { ngx_string("ssl_prefer_server_ciphers"),
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, 135 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
129 ngx_conf_set_flag_slot, 136 ngx_conf_set_flag_slot,
323 * sscf->certificate = { 0, NULL }; 330 * sscf->certificate = { 0, NULL };
324 * sscf->certificate_key = { 0, NULL }; 331 * sscf->certificate_key = { 0, NULL };
325 * sscf->dhparam = { 0, NULL }; 332 * sscf->dhparam = { 0, NULL };
326 * sscf->ecdh_curve = { 0, NULL }; 333 * sscf->ecdh_curve = { 0, NULL };
327 * sscf->client_certificate = { 0, NULL }; 334 * sscf->client_certificate = { 0, NULL };
335 * sscf->trusted_certificate = { 0, NULL };
328 * sscf->crl = { 0, NULL }; 336 * sscf->crl = { 0, NULL };
329 * sscf->ciphers = { 0, NULL }; 337 * sscf->ciphers = { 0, NULL };
330 * sscf->shm_zone = NULL; 338 * sscf->shm_zone = NULL;
331 */ 339 */
332 340
378 386
379 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); 387 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
380 388
381 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, 389 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
382 ""); 390 "");
391 ngx_conf_merge_str_value(conf->trusted_certificate,
392 prev->trusted_certificate, "");
383 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); 393 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
384 394
385 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, 395 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
386 NGX_DEFAULT_ECDH_CURVE); 396 NGX_DEFAULT_ECDH_CURVE);
387 397
477 conf->verify_depth) 487 conf->verify_depth)
478 != NGX_OK) 488 != NGX_OK)
479 { 489 {
480 return NGX_CONF_ERROR; 490 return NGX_CONF_ERROR;
481 } 491 }
482 492 }
483 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { 493
484 return NGX_CONF_ERROR; 494 if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
485 } 495 &conf->trusted_certificate,
496 conf->verify_depth)
497 != NGX_OK)
498 {
499 return NGX_CONF_ERROR;
500 }
501
502 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
503 return NGX_CONF_ERROR;
486 } 504 }
487 505
488 if (conf->prefer_server_ciphers) { 506 if (conf->prefer_server_ciphers) {
489 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 507 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
490 } 508 }