Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.h @ 7653:8409f9df6219

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: client certificate validation with OCSP (ticket #1534). OCSP validation for client certificates is enabled by the "ssl_ocsp" directive. OCSP responder can be optionally specified by "ssl_ocsp_responder". When session is reused, peer chain is not available for validation. If the verified chain contains certificates from the peer chain not available at the server, validation will fail.
author Roman Arutyunyan <arut@nginx.com>
date Fri, 22 May 2020 17:30:12 +0300
parents 1ce3f01a4355
children b56f725dd4bb
comparison
equal deleted inserted replaced
7652:7cffd81015e7 7653:8409f9df6219
62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L) 62 #if (OPENSSL_VERSION_NUMBER < 0x10002000L)
63 #define SSL_is_server(s) (s)->server 63 #define SSL_is_server(s) (s)->server
64 #endif 64 #endif
65 65
66 66
67 typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
68
69
67 struct ngx_ssl_s { 70 struct ngx_ssl_s {
68 SSL_CTX *ctx; 71 SSL_CTX *ctx;
69 ngx_log_t *log; 72 ngx_log_t *log;
70 size_t buffer_size; 73 size_t buffer_size;
71 }; 74 };
84 ngx_ssl_session_t *session; 87 ngx_ssl_session_t *session;
85 ngx_connection_handler_pt save_session; 88 ngx_connection_handler_pt save_session;
86 89
87 ngx_event_handler_pt saved_read_handler; 90 ngx_event_handler_pt saved_read_handler;
88 ngx_event_handler_pt saved_write_handler; 91 ngx_event_handler_pt saved_write_handler;
92
93 ngx_ssl_ocsp_t *ocsp;
89 94
90 u_char early_buf; 95 u_char early_buf;
91 96
92 unsigned handshaked:1; 97 unsigned handshaked:1;
93 unsigned renegotiation:1; 98 unsigned renegotiation:1;
95 unsigned no_wait_shutdown:1; 100 unsigned no_wait_shutdown:1;
96 unsigned no_send_shutdown:1; 101 unsigned no_send_shutdown:1;
97 unsigned handshake_buffer_set:1; 102 unsigned handshake_buffer_set:1;
98 unsigned try_early_data:1; 103 unsigned try_early_data:1;
99 unsigned in_early:1; 104 unsigned in_early:1;
105 unsigned in_ocsp:1;
100 unsigned early_preread:1; 106 unsigned early_preread:1;
101 unsigned write_blocked:1; 107 unsigned write_blocked:1;
102 }; 108 };
103 109
104 110
178 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); 184 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
179 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, 185 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
180 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); 186 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
181 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, 187 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
182 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); 188 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
189 ngx_int_t ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
190 ngx_uint_t depth);
191 ngx_int_t ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
192 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
193 ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c);
194 ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
195 void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
183 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, 196 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
184 int key_length); 197 int key_length);
185 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); 198 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
186 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf, 199 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
187 ngx_array_t *passwords); 200 ngx_array_t *passwords);
279 292
280 extern int ngx_ssl_connection_index; 293 extern int ngx_ssl_connection_index;
281 extern int ngx_ssl_server_conf_index; 294 extern int ngx_ssl_server_conf_index;
282 extern int ngx_ssl_session_cache_index; 295 extern int ngx_ssl_session_cache_index;
283 extern int ngx_ssl_session_ticket_keys_index; 296 extern int ngx_ssl_session_ticket_keys_index;
297 extern int ngx_ssl_ocsp_index;
284 extern int ngx_ssl_certificate_index; 298 extern int ngx_ssl_certificate_index;
285 extern int ngx_ssl_next_certificate_index; 299 extern int ngx_ssl_next_certificate_index;
286 extern int ngx_ssl_certificate_name_index; 300 extern int ngx_ssl_certificate_name_index;
287 extern int ngx_ssl_stapling_index; 301 extern int ngx_ssl_stapling_index;
288 302