Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 4872:7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification. In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.
Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.
The same applies to a CRL (which is now always loaded).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:39:36 +0000 |
parents | 22a6ef66b6f5 |
children | 386a06a22c40 |
comparison
equal
deleted
inserted
replaced
4871:c85cefbdaafe | 4872:7c3cca603438 |
---|---|
289 */ | 289 */ |
290 | 290 |
291 ERR_clear_error(); | 291 ERR_clear_error(); |
292 | 292 |
293 SSL_CTX_set_client_CA_list(ssl->ctx, list); | 293 SSL_CTX_set_client_CA_list(ssl->ctx, list); |
294 | |
295 return NGX_OK; | |
296 } | |
297 | |
298 | |
299 ngx_int_t | |
300 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, | |
301 ngx_int_t depth) | |
302 { | |
303 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
304 | |
305 if (cert->len == 0) { | |
306 return NGX_OK; | |
307 } | |
308 | |
309 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { | |
310 return NGX_ERROR; | |
311 } | |
312 | |
313 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
314 == 0) | |
315 { | |
316 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
317 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
318 cert->data); | |
319 return NGX_ERROR; | |
320 } | |
294 | 321 |
295 return NGX_OK; | 322 return NGX_OK; |
296 } | 323 } |
297 | 324 |
298 | 325 |