Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7653:8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".
When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 17:30:12 +0300 |
parents | ef7ee19776db |
children | b56f725dd4bb |
comparison
equal
deleted
inserted
replaced
7652:7cffd81015e7 | 7653:8409f9df6219 |
---|---|
72 { ngx_string("optional_no_ca"), 3 }, | 72 { ngx_string("optional_no_ca"), 3 }, |
73 { ngx_null_string, 0 } | 73 { ngx_null_string, 0 } |
74 }; | 74 }; |
75 | 75 |
76 | 76 |
77 static ngx_conf_enum_t ngx_http_ssl_ocsp[] = { | |
78 { ngx_string("off"), 0 }, | |
79 { ngx_string("on"), 1 }, | |
80 { ngx_string("leaf"), 2 }, | |
81 { ngx_null_string, 0 } | |
82 }; | |
83 | |
84 | |
77 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { | 85 static ngx_conf_deprecated_t ngx_http_ssl_deprecated = { |
78 ngx_conf_deprecated, "ssl", "listen ... ssl" | 86 ngx_conf_deprecated, "ssl", "listen ... ssl" |
79 }; | 87 }; |
80 | 88 |
81 | 89 |
210 { ngx_string("ssl_crl"), | 218 { ngx_string("ssl_crl"), |
211 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 219 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
212 ngx_conf_set_str_slot, | 220 ngx_conf_set_str_slot, |
213 NGX_HTTP_SRV_CONF_OFFSET, | 221 NGX_HTTP_SRV_CONF_OFFSET, |
214 offsetof(ngx_http_ssl_srv_conf_t, crl), | 222 offsetof(ngx_http_ssl_srv_conf_t, crl), |
223 NULL }, | |
224 | |
225 { ngx_string("ssl_ocsp"), | |
226 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
227 ngx_conf_set_enum_slot, | |
228 NGX_HTTP_SRV_CONF_OFFSET, | |
229 offsetof(ngx_http_ssl_srv_conf_t, ocsp), | |
230 &ngx_http_ssl_ocsp }, | |
231 | |
232 { ngx_string("ssl_ocsp_responder"), | |
233 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
234 ngx_conf_set_str_slot, | |
235 NGX_HTTP_SRV_CONF_OFFSET, | |
236 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), | |
215 NULL }, | 237 NULL }, |
216 | 238 |
217 { ngx_string("ssl_stapling"), | 239 { ngx_string("ssl_stapling"), |
218 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 240 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
219 ngx_conf_set_flag_slot, | 241 ngx_conf_set_flag_slot, |
559 * sscf->client_certificate = { 0, NULL }; | 581 * sscf->client_certificate = { 0, NULL }; |
560 * sscf->trusted_certificate = { 0, NULL }; | 582 * sscf->trusted_certificate = { 0, NULL }; |
561 * sscf->crl = { 0, NULL }; | 583 * sscf->crl = { 0, NULL }; |
562 * sscf->ciphers = { 0, NULL }; | 584 * sscf->ciphers = { 0, NULL }; |
563 * sscf->shm_zone = NULL; | 585 * sscf->shm_zone = NULL; |
586 * sscf->ocsp_responder = { 0, NULL }; | |
564 * sscf->stapling_file = { 0, NULL }; | 587 * sscf->stapling_file = { 0, NULL }; |
565 * sscf->stapling_responder = { 0, NULL }; | 588 * sscf->stapling_responder = { 0, NULL }; |
566 */ | 589 */ |
567 | 590 |
568 sscf->enable = NGX_CONF_UNSET; | 591 sscf->enable = NGX_CONF_UNSET; |
576 sscf->passwords = NGX_CONF_UNSET_PTR; | 599 sscf->passwords = NGX_CONF_UNSET_PTR; |
577 sscf->builtin_session_cache = NGX_CONF_UNSET; | 600 sscf->builtin_session_cache = NGX_CONF_UNSET; |
578 sscf->session_timeout = NGX_CONF_UNSET; | 601 sscf->session_timeout = NGX_CONF_UNSET; |
579 sscf->session_tickets = NGX_CONF_UNSET; | 602 sscf->session_tickets = NGX_CONF_UNSET; |
580 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 603 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
604 sscf->ocsp = NGX_CONF_UNSET_UINT; | |
581 sscf->stapling = NGX_CONF_UNSET; | 605 sscf->stapling = NGX_CONF_UNSET; |
582 sscf->stapling_verify = NGX_CONF_UNSET; | 606 sscf->stapling_verify = NGX_CONF_UNSET; |
583 | 607 |
584 return sscf; | 608 return sscf; |
585 } | 609 } |
638 | 662 |
639 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, | 663 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, |
640 NGX_DEFAULT_ECDH_CURVE); | 664 NGX_DEFAULT_ECDH_CURVE); |
641 | 665 |
642 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 666 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
667 | |
668 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | |
669 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | |
643 | 670 |
644 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 671 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
645 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | 672 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
646 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 673 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
647 ngx_conf_merge_str_value(conf->stapling_responder, | 674 ngx_conf_merge_str_value(conf->stapling_responder, |
798 return NGX_CONF_ERROR; | 825 return NGX_CONF_ERROR; |
799 } | 826 } |
800 | 827 |
801 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { | 828 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { |
802 return NGX_CONF_ERROR; | 829 return NGX_CONF_ERROR; |
830 } | |
831 | |
832 if (conf->ocsp) { | |
833 | |
834 if (conf->verify == 3) { | |
835 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
836 "\"ssl_ocsp\" is incompatible with " | |
837 "\"ssl_verify_client optional_no_ca\""); | |
838 return NGX_CONF_ERROR; | |
839 } | |
840 | |
841 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp) | |
842 != NGX_OK) | |
843 { | |
844 return NGX_CONF_ERROR; | |
845 } | |
803 } | 846 } |
804 | 847 |
805 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { | 848 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) { |
806 return NGX_CONF_ERROR; | 849 return NGX_CONF_ERROR; |
807 } | 850 } |
1116 | 1159 |
1117 for (s = 0; s < cmcf->servers.nelts; s++) { | 1160 for (s = 0; s < cmcf->servers.nelts; s++) { |
1118 | 1161 |
1119 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; | 1162 sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; |
1120 | 1163 |
1121 if (sscf->ssl.ctx == NULL || !sscf->stapling) { | 1164 if (sscf->ssl.ctx == NULL) { |
1122 continue; | 1165 continue; |
1123 } | 1166 } |
1124 | 1167 |
1125 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; | 1168 clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index]; |
1126 | 1169 |
1127 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | 1170 if (sscf->stapling) { |
1171 if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver, | |
1172 clcf->resolver_timeout) | |
1173 != NGX_OK) | |
1174 { | |
1175 return NGX_ERROR; | |
1176 } | |
1177 } | |
1178 | |
1179 if (sscf->ocsp) { | |
1180 if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, clcf->resolver, | |
1128 clcf->resolver_timeout) | 1181 clcf->resolver_timeout) |
1129 != NGX_OK) | 1182 != NGX_OK) |
1130 { | 1183 { |
1131 return NGX_ERROR; | 1184 return NGX_ERROR; |
1185 } | |
1132 } | 1186 } |
1133 } | 1187 } |
1134 | 1188 |
1135 if (cmcf->ports == NULL) { | 1189 if (cmcf->ports == NULL) { |
1136 return NGX_OK; | 1190 return NGX_OK; |