Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 7900:b56f725dd4bb
OCSP: certificate status cache.
When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.
New directive ssl_ocsp_cache is added to configure the cache.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 17:25:27 +0300 |
parents | 8409f9df6219 |
children | 7995cd199b52 3bff3f397c05 |
comparison
equal
deleted
inserted
replaced
7899:8409f9df6219 | 7900:b56f725dd4bb |
---|---|
47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
48 void *conf); | 48 void *conf); |
49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
50 void *conf); | 50 void *conf); |
51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
52 void *conf); | |
53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
52 void *conf); | 54 void *conf); |
53 | 55 |
54 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
55 | 57 |
56 | 58 |
232 { ngx_string("ssl_ocsp_responder"), | 234 { ngx_string("ssl_ocsp_responder"), |
233 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 235 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
234 ngx_conf_set_str_slot, | 236 ngx_conf_set_str_slot, |
235 NGX_HTTP_SRV_CONF_OFFSET, | 237 NGX_HTTP_SRV_CONF_OFFSET, |
236 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), | 238 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), |
239 NULL }, | |
240 | |
241 { ngx_string("ssl_ocsp_cache"), | |
242 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
243 ngx_http_ssl_ocsp_cache, | |
244 NGX_HTTP_SRV_CONF_OFFSET, | |
245 0, | |
237 NULL }, | 246 NULL }, |
238 | 247 |
239 { ngx_string("ssl_stapling"), | 248 { ngx_string("ssl_stapling"), |
240 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 249 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
241 ngx_conf_set_flag_slot, | 250 ngx_conf_set_flag_slot, |
600 sscf->builtin_session_cache = NGX_CONF_UNSET; | 609 sscf->builtin_session_cache = NGX_CONF_UNSET; |
601 sscf->session_timeout = NGX_CONF_UNSET; | 610 sscf->session_timeout = NGX_CONF_UNSET; |
602 sscf->session_tickets = NGX_CONF_UNSET; | 611 sscf->session_tickets = NGX_CONF_UNSET; |
603 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 612 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
604 sscf->ocsp = NGX_CONF_UNSET_UINT; | 613 sscf->ocsp = NGX_CONF_UNSET_UINT; |
614 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; | |
605 sscf->stapling = NGX_CONF_UNSET; | 615 sscf->stapling = NGX_CONF_UNSET; |
606 sscf->stapling_verify = NGX_CONF_UNSET; | 616 sscf->stapling_verify = NGX_CONF_UNSET; |
607 | 617 |
608 return sscf; | 618 return sscf; |
609 } | 619 } |
665 | 675 |
666 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 676 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
667 | 677 |
668 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | 678 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
669 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | 679 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
680 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, | |
681 prev->ocsp_cache_zone, NULL); | |
670 | 682 |
671 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 683 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
672 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | 684 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
673 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 685 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
674 ngx_conf_merge_str_value(conf->stapling_responder, | 686 ngx_conf_merge_str_value(conf->stapling_responder, |
836 "\"ssl_ocsp\" is incompatible with " | 848 "\"ssl_ocsp\" is incompatible with " |
837 "\"ssl_verify_client optional_no_ca\""); | 849 "\"ssl_verify_client optional_no_ca\""); |
838 return NGX_CONF_ERROR; | 850 return NGX_CONF_ERROR; |
839 } | 851 } |
840 | 852 |
841 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp) | 853 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp, |
854 conf->ocsp_cache_zone) | |
842 != NGX_OK) | 855 != NGX_OK) |
843 { | 856 { |
844 return NGX_CONF_ERROR; | 857 return NGX_CONF_ERROR; |
845 } | 858 } |
846 } | 859 } |
1136 | 1149 |
1137 invalid: | 1150 invalid: |
1138 | 1151 |
1139 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 1152 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
1140 "invalid session cache \"%V\"", &value[i]); | 1153 "invalid session cache \"%V\"", &value[i]); |
1154 | |
1155 return NGX_CONF_ERROR; | |
1156 } | |
1157 | |
1158 | |
1159 static char * | |
1160 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
1161 { | |
1162 ngx_http_ssl_srv_conf_t *sscf = conf; | |
1163 | |
1164 size_t len; | |
1165 ngx_int_t n; | |
1166 ngx_str_t *value, name, size; | |
1167 ngx_uint_t j; | |
1168 | |
1169 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) { | |
1170 return "is duplicate"; | |
1171 } | |
1172 | |
1173 value = cf->args->elts; | |
1174 | |
1175 if (ngx_strcmp(value[1].data, "off") == 0) { | |
1176 sscf->ocsp_cache_zone = NULL; | |
1177 return NGX_CONF_OK; | |
1178 } | |
1179 | |
1180 if (value[1].len <= sizeof("shared:") - 1 | |
1181 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0) | |
1182 { | |
1183 goto invalid; | |
1184 } | |
1185 | |
1186 len = 0; | |
1187 | |
1188 for (j = sizeof("shared:") - 1; j < value[1].len; j++) { | |
1189 if (value[1].data[j] == ':') { | |
1190 break; | |
1191 } | |
1192 | |
1193 len++; | |
1194 } | |
1195 | |
1196 if (len == 0) { | |
1197 goto invalid; | |
1198 } | |
1199 | |
1200 name.len = len; | |
1201 name.data = value[1].data + sizeof("shared:") - 1; | |
1202 | |
1203 size.len = value[1].len - j - 1; | |
1204 size.data = name.data + len + 1; | |
1205 | |
1206 n = ngx_parse_size(&size); | |
1207 | |
1208 if (n == NGX_ERROR) { | |
1209 goto invalid; | |
1210 } | |
1211 | |
1212 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
1213 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1214 "OCSP cache \"%V\" is too small", &value[1]); | |
1215 | |
1216 return NGX_CONF_ERROR; | |
1217 } | |
1218 | |
1219 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n, | |
1220 &ngx_http_ssl_module_ctx); | |
1221 if (sscf->ocsp_cache_zone == NULL) { | |
1222 return NGX_CONF_ERROR; | |
1223 } | |
1224 | |
1225 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init; | |
1226 | |
1227 return NGX_CONF_OK; | |
1228 | |
1229 invalid: | |
1230 | |
1231 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
1232 "invalid OCSP cache \"%V\"", &value[1]); | |
1141 | 1233 |
1142 return NGX_CONF_ERROR; | 1234 return NGX_CONF_ERROR; |
1143 } | 1235 } |
1144 | 1236 |
1145 | 1237 |