Mercurial > hg > nginx

comparison src/http/ngx_http_request.c @ 7653:8409f9df6219

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: client certificate validation with OCSP (ticket #1534). OCSP validation for client certificates is enabled by the "ssl_ocsp" directive. OCSP responder can be optionally specified by "ssl_ocsp_responder". When session is reused, peer chain is not available for validation. If the verified chain contains certificates from the peer chain not available at the server, validation will fail.
author Roman Arutyunyan <arut@nginx.com>
date Fri, 22 May 2020 17:30:12 +0300
parents 1d207b77b44a
children 8253424d1aff 7995cd199b52
comparison
equal deleted inserted replaced
7652:7cffd81015e7 7653:8409f9df6219
1991 #if (NGX_HTTP_SSL) 1991 #if (NGX_HTTP_SSL)
1992 1992
1993 if (r->http_connection->ssl) { 1993 if (r->http_connection->ssl) {
1994 long rc; 1994 long rc;
1995 X509 *cert; 1995 X509 *cert;
1996 const char *s;
1996 ngx_http_ssl_srv_conf_t *sscf; 1997 ngx_http_ssl_srv_conf_t *sscf;
1997 1998
1998 if (c->ssl == NULL) { 1999 if (c->ssl == NULL) {
1999 ngx_log_error(NGX_LOG_INFO, c->log, 0, 2000 ngx_log_error(NGX_LOG_INFO, c->log, 0,
2000 "client sent plain HTTP request to HTTPS port"); 2001 "client sent plain HTTP request to HTTPS port");
2034 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); 2035 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT);
2035 return; 2036 return;
2036 } 2037 }
2037 2038
2038 X509_free(cert); 2039 X509_free(cert);
2040 }
2041
2042 if (ngx_ssl_ocsp_get_status(c, &s) != NGX_OK) {
2043 ngx_log_error(NGX_LOG_INFO, c->log, 0,
2044 "client SSL certificate verify error: %s", s);
2045
2046 ngx_ssl_remove_cached_session(c->ssl->session_ctx,
2047 (SSL_get0_session(c->ssl->connection)));
2048
2049 ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
2050 return;
2039 } 2051 }
2040 } 2052 }
2041 } 2053 }
2042 2054
2043 #endif 2055 #endif