Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4879:4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 01 Oct 2012 12:53:11 +0000 |
| parents | 386a06a22c40 |
| children | e406c997470a |
comparison
equal
deleted
inserted
replaced
| 4878:695cc88ad649 | 4879:4a804fd04e6c |
|---|---|
| 178 { ngx_string("ssl_stapling_responder"), | 178 { ngx_string("ssl_stapling_responder"), |
| 179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
| 180 ngx_conf_set_str_slot, | 180 ngx_conf_set_str_slot, |
| 181 NGX_HTTP_SRV_CONF_OFFSET, | 181 NGX_HTTP_SRV_CONF_OFFSET, |
| 182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), | 182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), |
| 183 NULL }, | |
| 184 | |
| 185 { ngx_string("ssl_stapling_verify"), | |
| 186 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
| 187 ngx_conf_set_flag_slot, | |
| 188 NGX_HTTP_SRV_CONF_OFFSET, | |
| 189 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), | |
| 183 NULL }, | 190 NULL }, |
| 184 | 191 |
| 185 ngx_null_command | 192 ngx_null_command |
| 186 }; | 193 }; |
| 187 | 194 |
| 368 sscf->verify = NGX_CONF_UNSET_UINT; | 375 sscf->verify = NGX_CONF_UNSET_UINT; |
| 369 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 376 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
| 370 sscf->builtin_session_cache = NGX_CONF_UNSET; | 377 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 371 sscf->session_timeout = NGX_CONF_UNSET; | 378 sscf->session_timeout = NGX_CONF_UNSET; |
| 372 sscf->stapling = NGX_CONF_UNSET; | 379 sscf->stapling = NGX_CONF_UNSET; |
| 380 sscf->stapling_verify = NGX_CONF_UNSET; | |
| 373 | 381 |
| 374 return sscf; | 382 return sscf; |
| 375 } | 383 } |
| 376 | 384 |
| 377 | 385 |
| 422 NGX_DEFAULT_ECDH_CURVE); | 430 NGX_DEFAULT_ECDH_CURVE); |
| 423 | 431 |
| 424 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 432 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 425 | 433 |
| 426 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 434 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
| 435 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | |
| 427 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 436 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
| 428 ngx_conf_merge_str_value(conf->stapling_responder, | 437 ngx_conf_merge_str_value(conf->stapling_responder, |
| 429 prev->stapling_responder, ""); | 438 prev->stapling_responder, ""); |
| 430 | 439 |
| 431 conf->ssl.log = cf->log; | 440 conf->ssl.log = cf->log; |
| 563 return NGX_CONF_ERROR; | 572 return NGX_CONF_ERROR; |
| 564 } | 573 } |
| 565 | 574 |
| 566 if (conf->stapling) { | 575 if (conf->stapling) { |
| 567 | 576 |
| 568 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder, | 577 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
| 569 &conf->stapling_file) | 578 &conf->stapling_responder, conf->stapling_verify) |
| 570 != NGX_OK) | 579 != NGX_OK) |
| 571 { | 580 { |
| 572 return NGX_CONF_ERROR; | 581 return NGX_CONF_ERROR; |
| 573 } | 582 } |
| 574 | 583 |