Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4879:4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:53:11 +0000 |
parents | 386a06a22c40 |
children | e406c997470a |
comparison
equal
deleted
inserted
replaced
4878:695cc88ad649 | 4879:4a804fd04e6c |
---|---|
178 { ngx_string("ssl_stapling_responder"), | 178 { ngx_string("ssl_stapling_responder"), |
179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 179 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
180 ngx_conf_set_str_slot, | 180 ngx_conf_set_str_slot, |
181 NGX_HTTP_SRV_CONF_OFFSET, | 181 NGX_HTTP_SRV_CONF_OFFSET, |
182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), | 182 offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), |
183 NULL }, | |
184 | |
185 { ngx_string("ssl_stapling_verify"), | |
186 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
187 ngx_conf_set_flag_slot, | |
188 NGX_HTTP_SRV_CONF_OFFSET, | |
189 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), | |
183 NULL }, | 190 NULL }, |
184 | 191 |
185 ngx_null_command | 192 ngx_null_command |
186 }; | 193 }; |
187 | 194 |
368 sscf->verify = NGX_CONF_UNSET_UINT; | 375 sscf->verify = NGX_CONF_UNSET_UINT; |
369 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 376 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
370 sscf->builtin_session_cache = NGX_CONF_UNSET; | 377 sscf->builtin_session_cache = NGX_CONF_UNSET; |
371 sscf->session_timeout = NGX_CONF_UNSET; | 378 sscf->session_timeout = NGX_CONF_UNSET; |
372 sscf->stapling = NGX_CONF_UNSET; | 379 sscf->stapling = NGX_CONF_UNSET; |
380 sscf->stapling_verify = NGX_CONF_UNSET; | |
373 | 381 |
374 return sscf; | 382 return sscf; |
375 } | 383 } |
376 | 384 |
377 | 385 |
422 NGX_DEFAULT_ECDH_CURVE); | 430 NGX_DEFAULT_ECDH_CURVE); |
423 | 431 |
424 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 432 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
425 | 433 |
426 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 434 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
435 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | |
427 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 436 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
428 ngx_conf_merge_str_value(conf->stapling_responder, | 437 ngx_conf_merge_str_value(conf->stapling_responder, |
429 prev->stapling_responder, ""); | 438 prev->stapling_responder, ""); |
430 | 439 |
431 conf->ssl.log = cf->log; | 440 conf->ssl.log = cf->log; |
563 return NGX_CONF_ERROR; | 572 return NGX_CONF_ERROR; |
564 } | 573 } |
565 | 574 |
566 if (conf->stapling) { | 575 if (conf->stapling) { |
567 | 576 |
568 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder, | 577 if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, |
569 &conf->stapling_file) | 578 &conf->stapling_responder, conf->stapling_verify) |
570 != NGX_OK) | 579 != NGX_OK) |
571 { | 580 { |
572 return NGX_CONF_ERROR; | 581 return NGX_CONF_ERROR; |
573 } | 582 } |
574 | 583 |