Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 4879:4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:53:11 +0000 |
parents | 695cc88ad649 |
children | 0254c1a43fe5 |
comparison
equal
deleted
inserted
replaced
4878:695cc88ad649 | 4879:4a804fd04e6c |
---|---|
31 X509 *cert; | 31 X509 *cert; |
32 X509 *issuer; | 32 X509 *issuer; |
33 | 33 |
34 time_t valid; | 34 time_t valid; |
35 | 35 |
36 ngx_uint_t loading; /* unsigned:1 */ | 36 unsigned verify:1; |
37 unsigned loading:1; | |
37 } ngx_ssl_stapling_t; | 38 } ngx_ssl_stapling_t; |
38 | 39 |
39 | 40 |
40 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; | 41 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
41 | 42 |
112 | 113 |
113 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); | 114 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
114 | 115 |
115 | 116 |
116 ngx_int_t | 117 ngx_int_t |
117 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, | 118 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
118 ngx_str_t *file) | 119 ngx_str_t *responder, ngx_uint_t verify) |
119 { | 120 { |
120 ngx_int_t rc; | 121 ngx_int_t rc; |
121 ngx_pool_cleanup_t *cln; | 122 ngx_pool_cleanup_t *cln; |
122 ngx_ssl_stapling_t *staple; | 123 ngx_ssl_stapling_t *staple; |
123 | 124 |
142 return NGX_ERROR; | 143 return NGX_ERROR; |
143 } | 144 } |
144 | 145 |
145 staple->ssl_ctx = ssl->ctx; | 146 staple->ssl_ctx = ssl->ctx; |
146 staple->timeout = 60000; | 147 staple->timeout = 60000; |
148 staple->verify = verify; | |
147 | 149 |
148 if (file->len) { | 150 if (file->len) { |
149 /* use OCSP response from the file */ | 151 /* use OCSP response from the file */ |
150 | 152 |
151 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { | 153 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { |
586 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 588 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
587 #else | 589 #else |
588 chain = staple->ssl_ctx->extra_certs; | 590 chain = staple->ssl_ctx->extra_certs; |
589 #endif | 591 #endif |
590 | 592 |
591 if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { | 593 if (OCSP_basic_verify(basic, chain, store, |
594 staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY) | |
595 != 1) | |
596 { | |
592 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 597 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
593 "OCSP_basic_verify() failed"); | 598 "OCSP_basic_verify() failed"); |
594 goto error; | 599 goto error; |
595 } | 600 } |
596 | 601 |