Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 4872:7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification. In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.
Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.
The same applies to a CRL (which is now always loaded).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:39:36 +0000 |
parents | d620f497c50f |
children | dd74fd35ceb5 |
comparison
equal
deleted
inserted
replaced
4871:c85cefbdaafe | 4872:7c3cca603438 |
---|---|
120 { ngx_string("ssl_client_certificate"), | 120 { ngx_string("ssl_client_certificate"), |
121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 121 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
122 ngx_conf_set_str_slot, | 122 ngx_conf_set_str_slot, |
123 NGX_HTTP_SRV_CONF_OFFSET, | 123 NGX_HTTP_SRV_CONF_OFFSET, |
124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), | 124 offsetof(ngx_http_ssl_srv_conf_t, client_certificate), |
125 NULL }, | |
126 | |
127 { ngx_string("ssl_trusted_certificate"), | |
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
129 ngx_conf_set_str_slot, | |
130 NGX_HTTP_SRV_CONF_OFFSET, | |
131 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate), | |
125 NULL }, | 132 NULL }, |
126 | 133 |
127 { ngx_string("ssl_prefer_server_ciphers"), | 134 { ngx_string("ssl_prefer_server_ciphers"), |
128 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 135 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
129 ngx_conf_set_flag_slot, | 136 ngx_conf_set_flag_slot, |
323 * sscf->certificate = { 0, NULL }; | 330 * sscf->certificate = { 0, NULL }; |
324 * sscf->certificate_key = { 0, NULL }; | 331 * sscf->certificate_key = { 0, NULL }; |
325 * sscf->dhparam = { 0, NULL }; | 332 * sscf->dhparam = { 0, NULL }; |
326 * sscf->ecdh_curve = { 0, NULL }; | 333 * sscf->ecdh_curve = { 0, NULL }; |
327 * sscf->client_certificate = { 0, NULL }; | 334 * sscf->client_certificate = { 0, NULL }; |
335 * sscf->trusted_certificate = { 0, NULL }; | |
328 * sscf->crl = { 0, NULL }; | 336 * sscf->crl = { 0, NULL }; |
329 * sscf->ciphers = { 0, NULL }; | 337 * sscf->ciphers = { 0, NULL }; |
330 * sscf->shm_zone = NULL; | 338 * sscf->shm_zone = NULL; |
331 */ | 339 */ |
332 | 340 |
378 | 386 |
379 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); | 387 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); |
380 | 388 |
381 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, | 389 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, |
382 ""); | 390 ""); |
391 ngx_conf_merge_str_value(conf->trusted_certificate, | |
392 prev->trusted_certificate, ""); | |
383 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); | 393 ngx_conf_merge_str_value(conf->crl, prev->crl, ""); |
384 | 394 |
385 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 395 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
386 NGX_DEFAULT_ECDH_CURVE); | 396 NGX_DEFAULT_ECDH_CURVE); |
387 | 397 |
477 conf->verify_depth) | 487 conf->verify_depth) |
478 != NGX_OK) | 488 != NGX_OK) |
479 { | 489 { |
480 return NGX_CONF_ERROR; | 490 return NGX_CONF_ERROR; |
481 } | 491 } |
482 | 492 } |
483 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | 493 |
484 return NGX_CONF_ERROR; | 494 if (ngx_ssl_trusted_certificate(cf, &conf->ssl, |
485 } | 495 &conf->trusted_certificate, |
496 conf->verify_depth) | |
497 != NGX_OK) | |
498 { | |
499 return NGX_CONF_ERROR; | |
500 } | |
501 | |
502 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | |
503 return NGX_CONF_ERROR; | |
486 } | 504 } |
487 | 505 |
488 if (conf->prefer_server_ciphers) { | 506 if (conf->prefer_server_ciphers) { |
489 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); | 507 SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
490 } | 508 } |