Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4879:4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 01 Oct 2012 12:53:11 +0000 |
| parents | 695cc88ad649 |
| children | 0254c1a43fe5 |
comparison
equal
deleted
inserted
replaced
| 4878:695cc88ad649 | 4879:4a804fd04e6c |
|---|---|
| 31 X509 *cert; | 31 X509 *cert; |
| 32 X509 *issuer; | 32 X509 *issuer; |
| 33 | 33 |
| 34 time_t valid; | 34 time_t valid; |
| 35 | 35 |
| 36 ngx_uint_t loading; /* unsigned:1 */ | 36 unsigned verify:1; |
| 37 unsigned loading:1; | |
| 37 } ngx_ssl_stapling_t; | 38 } ngx_ssl_stapling_t; |
| 38 | 39 |
| 39 | 40 |
| 40 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; | 41 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
| 41 | 42 |
| 112 | 113 |
| 113 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); | 114 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
| 114 | 115 |
| 115 | 116 |
| 116 ngx_int_t | 117 ngx_int_t |
| 117 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, | 118 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
| 118 ngx_str_t *file) | 119 ngx_str_t *responder, ngx_uint_t verify) |
| 119 { | 120 { |
| 120 ngx_int_t rc; | 121 ngx_int_t rc; |
| 121 ngx_pool_cleanup_t *cln; | 122 ngx_pool_cleanup_t *cln; |
| 122 ngx_ssl_stapling_t *staple; | 123 ngx_ssl_stapling_t *staple; |
| 123 | 124 |
| 142 return NGX_ERROR; | 143 return NGX_ERROR; |
| 143 } | 144 } |
| 144 | 145 |
| 145 staple->ssl_ctx = ssl->ctx; | 146 staple->ssl_ctx = ssl->ctx; |
| 146 staple->timeout = 60000; | 147 staple->timeout = 60000; |
| 148 staple->verify = verify; | |
| 147 | 149 |
| 148 if (file->len) { | 150 if (file->len) { |
| 149 /* use OCSP response from the file */ | 151 /* use OCSP response from the file */ |
| 150 | 152 |
| 151 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { | 153 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { |
| 586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 588 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
| 587 #else | 589 #else |
| 588 chain = staple->ssl_ctx->extra_certs; | 590 chain = staple->ssl_ctx->extra_certs; |
| 589 #endif | 591 #endif |
| 590 | 592 |
| 591 if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { | 593 if (OCSP_basic_verify(basic, chain, store, |
| 594 staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY) | |
| 595 != 1) | |
| 596 { | |
| 592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 597 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
| 593 "OCSP_basic_verify() failed"); | 598 "OCSP_basic_verify() failed"); |
| 594 goto error; | 599 goto error; |
| 595 } | 600 } |
| 596 | 601 |