Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 4875:386a06a22c40
OCSP stapling: loading OCSP responses.
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).
OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question. This due
to limitations in the OpenSSL API (certificate status callback is blocking).
Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:47:55 +0000 |
parents | dd74fd35ceb5 |
children | 4a804fd04e6c |
comparison
equal
deleted
inserted
replaced
4874:d1a20423c425 | 4875:386a06a22c40 |
---|---|
30 | 30 |
31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 31 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
32 void *conf); | 32 void *conf); |
33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 33 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | 34 void *conf); |
35 | |
36 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | |
35 | 37 |
36 | 38 |
37 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { | 39 static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { |
38 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, | 40 { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, |
39 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, | 41 { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, |
171 ngx_conf_set_str_slot, | 173 ngx_conf_set_str_slot, |
172 NGX_HTTP_SRV_CONF_OFFSET, | 174 NGX_HTTP_SRV_CONF_OFFSET, |
173 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), | 175 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), |
174 NULL }, | 176 NULL }, |
175 | 177 |
178 { ngx_string("ssl_stapling_responder"), | |
179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
180 ngx_conf_set_str_slot, | |
181 NGX_HTTP_SRV_CONF_OFFSET, | |
182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), | |
183 NULL }, | |
184 | |
176 ngx_null_command | 185 ngx_null_command |
177 }; | 186 }; |
178 | 187 |
179 | 188 |
180 static ngx_http_module_t ngx_http_ssl_module_ctx = { | 189 static ngx_http_module_t ngx_http_ssl_module_ctx = { |
181 ngx_http_ssl_add_variables, /* preconfiguration */ | 190 ngx_http_ssl_add_variables, /* preconfiguration */ |
182 NULL, /* postconfiguration */ | 191 ngx_http_ssl_init, /* postconfiguration */ |
183 | 192 |
184 NULL, /* create main configuration */ | 193 NULL, /* create main configuration */ |
185 NULL, /* init main configuration */ | 194 NULL, /* init main configuration */ |
186 | 195 |
187 ngx_http_ssl_create_srv_conf, /* create server configuration */ | 196 ngx_http_ssl_create_srv_conf, /* create server configuration */ |
349 * sscf->trusted_certificate = { 0, NULL }; | 358 * sscf->trusted_certificate = { 0, NULL }; |
350 * sscf->crl = { 0, NULL }; | 359 * sscf->crl = { 0, NULL }; |
351 * sscf->ciphers = { 0, NULL }; | 360 * sscf->ciphers = { 0, NULL }; |
352 * sscf->shm_zone = NULL; | 361 * sscf->shm_zone = NULL; |
353 * sscf->stapling_file = { 0, NULL }; | 362 * sscf->stapling_file = { 0, NULL }; |
363 * sscf->stapling_responder = { 0, NULL }; | |
354 */ | 364 */ |
355 | 365 |
356 sscf->enable = NGX_CONF_UNSET; | 366 sscf->enable = NGX_CONF_UNSET; |
357 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 367 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
358 sscf->verify = NGX_CONF_UNSET_UINT; | 368 sscf->verify = NGX_CONF_UNSET_UINT; |
413 | 423 |
414 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 424 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
415 | 425 |
416 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 426 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
417 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 427 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
428 ngx_conf_merge_str_value(conf->stapling_responder, | |
429 prev->stapling_responder, ""); | |
418 | 430 |
419 conf->ssl.log = cf->log; | 431 conf->ssl.log = cf->log; |
420 | 432 |
421 if (conf->enable) { | 433 if (conf->enable) { |
422 | 434 |
549 != NGX_OK) | 561 != NGX_OK) |
550 { | 562 { |
551 return NGX_CONF_ERROR; | 563 return NGX_CONF_ERROR; |
552 } | 564 } |
553 | 565 |
554 if (conf->stapling | 566 if (conf->stapling) { |
555 && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK) | 567 |
556 { | 568 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder, |
557 return NGX_CONF_ERROR; | 569 &conf->stapling_file) |
570 != NGX_OK) | |
571 { | |
572 return NGX_CONF_ERROR; | |
573 } | |
574 | |
558 } | 575 } |
559 | 576 |
560 return NGX_CONF_OK; | 577 return NGX_CONF_OK; |
561 } | 578 } |
562 | 579 |
690 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 707 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
691 "invalid session cache \"%V\"", &value[i]); | 708 "invalid session cache \"%V\"", &value[i]); |
692 | 709 |
693 return NGX_CONF_ERROR; | 710 return NGX_CONF_ERROR; |
694 } | 711 } |
712 | |
713 | |
714 static ngx_int_t | |
715 ngx_http_ssl_init(ngx_conf_t *cf) | |
716 { | |
717 ngx_uint_t s; | |
718 ngx_http_ssl_srv_conf_t *sscf; | |
719 ngx_http_core_loc_conf_t *clcf; | |
720 ngx_http_core_srv_conf_t **cscfp; | |
721 ngx_http_core_main_conf_t *cmcf; | |
722 | |
723 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); | |
724 cscfp = cmcf->servers.elts; | |
725 | |
726 for (s = 0; s < cmcf->servers.nelts; s++) { | |
727 | |
728 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | |
729 | |
730 if (!sscf->stapling) { | |
731 continue; | |
732 } | |
733 | |
734 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; | |
735 | |
736 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | |
737 clcf->resolver_timeout) | |
738 != NGX_OK) | |
739 { | |
740 return NGX_ERROR; | |
741 } | |
742 } | |
743 | |
744 return NGX_OK; | |
745 } |