Mercurial > hg > nginx-quic
changeset 1924:291689a7e5dc
invalidate SSL session if there is no valid client certificate
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Mon, 10 Mar 2008 14:47:07 +0000 |
parents | c72fe0a8d9b4 |
children | 6fd26b0e1009 |
files | src/event/ngx_event_openssl.c src/event/ngx_event_openssl.h src/http/ngx_http_request.c |
diffstat | 3 files changed, 22 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1552,6 +1552,15 @@ done: } +void +ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) +{ + SSL_CTX_remove_session(ssl, sess); + + ngx_ssl_remove_session(ssl, sess); +} + + static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) { @@ -1567,6 +1576,10 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); + if (shm_zone == NULL) { + return; + } + cache = shm_zone->data; id = sess->session_id;
--- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -105,6 +105,7 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_ ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags); +void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) #define ngx_ssl_free_session SSL_SESSION_free
--- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1430,6 +1430,10 @@ ngx_http_process_request(ngx_http_reques ngx_log_error(NGX_LOG_INFO, c->log, 0, "client SSL certificate verify error: (%l:%s)", rc, X509_verify_cert_error_string(rc)); + + ngx_ssl_remove_cached_session(sscf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR); return; } @@ -1439,6 +1443,10 @@ ngx_http_process_request(ngx_http_reques { ngx_log_error(NGX_LOG_INFO, c->log, 0, "client sent no required SSL certificate"); + + ngx_ssl_remove_cached_session(sscf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); return; }