Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7653:8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".
When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Fri, 22 May 2020 17:30:12 +0300 |
| parents | ef7ee19776db |
| children | b56f725dd4bb |
comparison
equal
deleted
inserted
replaced
| 7652:7cffd81015e7 | 7653:8409f9df6219 |
|---|---|
| 72 { ngx_string("optional_no_ca"), 3 }, | 72 { ngx_string("optional_no_ca"), 3 }, |
| 73 { ngx_null_string, 0 } | 73 { ngx_null_string, 0 } |
| 74 }; | 74 }; |
| 75 | 75 |
| 76 | 76 |
| 77 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = { | |
| 78 { ngx_string("off"), 0 }, | |
| 79 { ngx_string("on"), 1 }, | |
| 80 { ngx_string("leaf"), 2 }, | |
| 81 { ngx_null_string, 0 } | |
| 82 }; | |
| 83 | |
| 84 | |
| 77 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { | 85 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
| 78 ngx_conf_deprecated, "ssl", "listen ... ssl" | 86 ngx_conf_deprecated, "ssl", "listen ... ssl" |
| 79 }; | 87 }; |
| 80 | 88 |
| 81 | 89 |
| 210 { ngx_string("ssl_crl"), | 218 { ngx_string("ssl_crl"), |
| 211 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 219 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
| 212 ngx_conf_set_str_slot, | 220 ngx_conf_set_str_slot, |
| 213 NGX_HTTP_SRV_CONF_OFFSET, | 221 NGX_HTTP_SRV_CONF_OFFSET, |
| 214 offsetof(ngx_http_ssl_srv_conf_t, crl), | 222 offsetof(ngx_http_ssl_srv_conf_t, crl), |
| 223 NULL }, | |
| 224 | |
| 225 { ngx_string("ssl_ocsp"), | |
| 226 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
| 227 ngx_conf_set_enum_slot, | |
| 228 NGX_HTTP_SRV_CONF_OFFSET, | |
| 229 offsetof(ngx_http_ssl_srv_conf_t, ocsp), | |
| 230 &ngx_http_ssl_ocsp }, | |
| 231 | |
| 232 { ngx_string("ssl_ocsp_responder"), | |
| 233 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
| 234 ngx_conf_set_str_slot, | |
| 235 NGX_HTTP_SRV_CONF_OFFSET, | |
| 236 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), | |
| 215 NULL }, | 237 NULL }, |
| 216 | 238 |
| 217 { ngx_string("ssl_stapling"), | 239 { ngx_string("ssl_stapling"), |
| 218 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 240 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 219 ngx_conf_set_flag_slot, | 241 ngx_conf_set_flag_slot, |
| 559 * sscf->client_certificate = { 0, NULL }; | 581 * sscf->client_certificate = { 0, NULL }; |
| 560 * sscf->trusted_certificate = { 0, NULL }; | 582 * sscf->trusted_certificate = { 0, NULL }; |
| 561 * sscf->crl = { 0, NULL }; | 583 * sscf->crl = { 0, NULL }; |
| 562 * sscf->ciphers = { 0, NULL }; | 584 * sscf->ciphers = { 0, NULL }; |
| 563 * sscf->shm_zone = NULL; | 585 * sscf->shm_zone = NULL; |
| 586 * sscf->ocsp_responder = { 0, NULL }; | |
| 564 * sscf->stapling_file = { 0, NULL }; | 587 * sscf->stapling_file = { 0, NULL }; |
| 565 * sscf->stapling_responder = { 0, NULL }; | 588 * sscf->stapling_responder = { 0, NULL }; |
| 566 */ | 589 */ |
| 567 | 590 |
| 568 sscf->enable = NGX_CONF_UNSET; | 591 sscf->enable = NGX_CONF_UNSET; |
| 576 sscf->passwords = NGX_CONF_UNSET_PTR; | 599 sscf->passwords = NGX_CONF_UNSET_PTR; |
| 577 sscf->builtin_session_cache = NGX_CONF_UNSET; | 600 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 578 sscf->session_timeout = NGX_CONF_UNSET; | 601 sscf->session_timeout = NGX_CONF_UNSET; |
| 579 sscf->session_tickets = NGX_CONF_UNSET; | 602 sscf->session_tickets = NGX_CONF_UNSET; |
| 580 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 603 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 604 sscf->ocsp = NGX_CONF_UNSET_UINT; | |
| 581 sscf->stapling = NGX_CONF_UNSET; | 605 sscf->stapling = NGX_CONF_UNSET; |
| 582 sscf->stapling_verify = NGX_CONF_UNSET; | 606 sscf->stapling_verify = NGX_CONF_UNSET; |
| 583 | 607 |
| 584 return sscf; | 608 return sscf; |
| 585 } | 609 } |
| 638 | 662 |
| 639 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 663 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
| 640 NGX_DEFAULT_ECDH_CURVE); | 664 NGX_DEFAULT_ECDH_CURVE); |
| 641 | 665 |
| 642 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 666 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 667 | |
| 668 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | |
| 669 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | |
| 643 | 670 |
| 644 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 671 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
| 645 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | 672 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
| 646 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 673 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
| 647 ngx_conf_merge_str_value(conf->stapling_responder, | 674 ngx_conf_merge_str_value(conf->stapling_responder, |
| 798 return NGX_CONF_ERROR; | 825 return NGX_CONF_ERROR; |
| 799 } | 826 } |
| 800 | 827 |
| 801 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | 828 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
| 802 return NGX_CONF_ERROR; | 829 return NGX_CONF_ERROR; |
| 830 } | |
| 831 | |
| 832 if (conf->ocsp) { | |
| 833 | |
| 834 if (conf->verify == 3) { | |
| 835 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
| 836 "\"ssl_ocsp\" is incompatible with " | |
| 837 "\"ssl_verify_client optional_no_ca\""); | |
| 838 return NGX_CONF_ERROR; | |
| 839 } | |
| 840 | |
| 841 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp) | |
| 842 != NGX_OK) | |
| 843 { | |
| 844 return NGX_CONF_ERROR; | |
| 845 } | |
| 803 } | 846 } |
| 804 | 847 |
| 805 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 848 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
| 806 return NGX_CONF_ERROR; | 849 return NGX_CONF_ERROR; |
| 807 } | 850 } |
| 1116 | 1159 |
| 1117 for (s = 0; s < cmcf->servers.nelts; s++) { | 1160 for (s = 0; s < cmcf->servers.nelts; s++) { |
| 1118 | 1161 |
| 1119 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1162 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
| 1120 | 1163 |
| 1121 if (sscf->ssl.ctx == NULL || !sscf->stapling) { | 1164 if (sscf->ssl.ctx == NULL) { |
| 1122 continue; | 1165 continue; |
| 1123 } | 1166 } |
| 1124 | 1167 |
| 1125 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; | 1168 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
| 1126 | 1169 |
| 1127 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | 1170 if (sscf->stapling) { |
| 1171 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | |
| 1172 clcf->resolver_timeout) | |
| 1173 != NGX_OK) | |
| 1174 { | |
| 1175 return NGX_ERROR; | |
| 1176 } | |
| 1177 } | |
| 1178 | |
| 1179 if (sscf->ocsp) { | |
| 1180 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver, | |
| 1128 clcf->resolver_timeout) | 1181 clcf->resolver_timeout) |
| 1129 != NGX_OK) | 1182 != NGX_OK) |
| 1130 { | 1183 { |
| 1131 return NGX_ERROR; | 1184 return NGX_ERROR; |
| 1185 } | |
| 1132 } | 1186 } |
| 1133 } | 1187 } |
| 1134 | 1188 |
| 1135 if (cmcf->ports == NULL) { | 1189 if (cmcf->ports == NULL) { |
| 1136 return NGX_OK; | 1190 return NGX_OK; |