Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_ssl_module.c @ 4873:dd74fd35ceb5
OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.
Such file might be produced with openssl like this:
openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
-url http://ocsp.example.com
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:41:08 +0000 |
parents | 7c3cca603438 |
children | 386a06a22c40 |
comparison
equal
deleted
inserted
replaced
4872:7c3cca603438 | 4873:dd74fd35ceb5 |
---|---|
155 { ngx_string("ssl_crl"), | 155 { ngx_string("ssl_crl"), |
156 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 156 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
157 ngx_conf_set_str_slot, | 157 ngx_conf_set_str_slot, |
158 NGX_HTTP_SRV_CONF_OFFSET, | 158 NGX_HTTP_SRV_CONF_OFFSET, |
159 offsetof(ngx_http_ssl_srv_conf_t, crl), | 159 offsetof(ngx_http_ssl_srv_conf_t, crl), |
160 NULL }, | |
161 | |
162 { ngx_string("ssl_stapling"), | |
163 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
164 ngx_conf_set_flag_slot, | |
165 NGX_HTTP_SRV_CONF_OFFSET, | |
166 offsetof(ngx_http_ssl_srv_conf_t, stapling), | |
167 NULL }, | |
168 | |
169 { ngx_string("ssl_stapling_file"), | |
170 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
171 ngx_conf_set_str_slot, | |
172 NGX_HTTP_SRV_CONF_OFFSET, | |
173 offsetof(ngx_http_ssl_srv_conf_t, stapling_file), | |
160 NULL }, | 174 NULL }, |
161 | 175 |
162 ngx_null_command | 176 ngx_null_command |
163 }; | 177 }; |
164 | 178 |
334 * sscf->client_certificate = { 0, NULL }; | 348 * sscf->client_certificate = { 0, NULL }; |
335 * sscf->trusted_certificate = { 0, NULL }; | 349 * sscf->trusted_certificate = { 0, NULL }; |
336 * sscf->crl = { 0, NULL }; | 350 * sscf->crl = { 0, NULL }; |
337 * sscf->ciphers = { 0, NULL }; | 351 * sscf->ciphers = { 0, NULL }; |
338 * sscf->shm_zone = NULL; | 352 * sscf->shm_zone = NULL; |
353 * sscf->stapling_file = { 0, NULL }; | |
339 */ | 354 */ |
340 | 355 |
341 sscf->enable = NGX_CONF_UNSET; | 356 sscf->enable = NGX_CONF_UNSET; |
342 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 357 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
343 sscf->verify = NGX_CONF_UNSET_UINT; | 358 sscf->verify = NGX_CONF_UNSET_UINT; |
344 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 359 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
345 sscf->builtin_session_cache = NGX_CONF_UNSET; | 360 sscf->builtin_session_cache = NGX_CONF_UNSET; |
346 sscf->session_timeout = NGX_CONF_UNSET; | 361 sscf->session_timeout = NGX_CONF_UNSET; |
362 sscf->stapling = NGX_CONF_UNSET; | |
347 | 363 |
348 return sscf; | 364 return sscf; |
349 } | 365 } |
350 | 366 |
351 | 367 |
395 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 411 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
396 NGX_DEFAULT_ECDH_CURVE); | 412 NGX_DEFAULT_ECDH_CURVE); |
397 | 413 |
398 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 414 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
399 | 415 |
416 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | |
417 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | |
400 | 418 |
401 conf->ssl.log = cf->log; | 419 conf->ssl.log = cf->log; |
402 | 420 |
403 if (conf->enable) { | 421 if (conf->enable) { |
404 | 422 |
531 != NGX_OK) | 549 != NGX_OK) |
532 { | 550 { |
533 return NGX_CONF_ERROR; | 551 return NGX_CONF_ERROR; |
534 } | 552 } |
535 | 553 |
554 if (conf->stapling | |
555 && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK) | |
556 { | |
557 return NGX_CONF_ERROR; | |
558 } | |
559 | |
536 return NGX_CONF_OK; | 560 return NGX_CONF_OK; |
537 } | 561 } |
538 | 562 |
539 | 563 |
540 static char * | 564 static char * |