# HG changeset patch # User Maxim Dounin # Date 1349095991 0 # Node ID 4a804fd04e6c683b44a14a436586b65fc578a4e7 # Parent 695cc88ad649a88b8cbafe9726c1b78dd5fc4079 OCSP stapling: ssl_stapling_verify directive. OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients. diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -106,7 +106,7 @@ ngx_int_t ngx_ssl_trusted_certificate(ng ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, - ngx_str_t *responder, ngx_str_t *file); + ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -33,7 +33,8 @@ typedef struct { time_t valid; - ngx_uint_t loading; /* unsigned:1 */ + unsigned verify:1; + unsigned loading:1; } ngx_ssl_stapling_t; @@ -114,8 +115,8 @@ static u_char *ngx_ssl_ocsp_log_error(ng ngx_int_t -ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, - ngx_str_t *file) +ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *responder, ngx_uint_t verify) { ngx_int_t rc; ngx_pool_cleanup_t *cln; @@ -144,6 +145,7 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl staple->ssl_ctx = ssl->ctx; staple->timeout = 60000; + staple->verify = verify; if (file->len) { /* use OCSP response from the file */ @@ -588,7 +590,10 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc chain = staple->ssl_ctx->extra_certs; #endif - if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { + if (OCSP_basic_verify(basic, chain, store, + staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY) + != 1) + { ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, "OCSP_basic_verify() failed"); goto error; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -182,6 +182,13 @@ static ngx_command_t ngx_http_ssl_comma offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), NULL }, + { ngx_string("ssl_stapling_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), + NULL }, + ngx_null_command }; @@ -370,6 +377,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t sscf->builtin_session_cache = NGX_CONF_UNSET; sscf->session_timeout = NGX_CONF_UNSET; sscf->stapling = NGX_CONF_UNSET; + sscf->stapling_verify = NGX_CONF_UNSET; return sscf; } @@ -424,6 +432,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); ngx_conf_merge_value(conf->stapling, prev->stapling, 0); + ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); @@ -565,8 +574,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * if (conf->stapling) { - if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder, - &conf->stapling_file) + if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, + &conf->stapling_responder, conf->stapling_verify) != NGX_OK) { return NGX_CONF_ERROR; diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h +++ b/src/http/modules/ngx_http_ssl_module.h @@ -43,6 +43,7 @@ typedef struct { ngx_shm_zone_t *shm_zone; ngx_flag_t stapling; + ngx_flag_t stapling_verify; ngx_str_t stapling_file; ngx_str_t stapling_responder;