Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7653:8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".
When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 17:30:12 +0300 |
parents | 1d207b77b44a |
children | 8253424d1aff 7995cd199b52 |
comparison
equal
deleted
inserted
replaced
7652:7cffd81015e7 | 7653:8409f9df6219 |
---|---|
1991 #if (NGX_HTTP_SSL) | 1991 #if (NGX_HTTP_SSL) |
1992 | 1992 |
1993 if (r->http_connection->ssl) { | 1993 if (r->http_connection->ssl) { |
1994 long rc; | 1994 long rc; |
1995 X509 *cert; | 1995 X509 *cert; |
1996 const char *s; | |
1996 ngx_http_ssl_srv_conf_t *sscf; | 1997 ngx_http_ssl_srv_conf_t *sscf; |
1997 | 1998 |
1998 if (c->ssl == NULL) { | 1999 if (c->ssl == NULL) { |
1999 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 2000 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
2000 "client sent plain HTTP request to HTTPS port"); | 2001 "client sent plain HTTP request to HTTPS port"); |
2034 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); | 2035 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); |
2035 return; | 2036 return; |
2036 } | 2037 } |
2037 | 2038 |
2038 X509_free(cert); | 2039 X509_free(cert); |
2040 } | |
2041 | |
2042 if (ngx_ssl_ocsp_get_status(c, &s) != NGX_OK) { | |
2043 ngx_log_error(NGX_LOG_INFO, c->log, 0, | |
2044 "client SSL certificate verify error: %s", s); | |
2045 | |
2046 ngx_ssl_remove_cached_session(c->ssl->session_ctx, | |
2047 (SSL_get0_session(c->ssl->connection))); | |
2048 | |
2049 ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR); | |
2050 return; | |
2039 } | 2051 } |
2040 } | 2052 } |
2041 } | 2053 } |
2042 | 2054 |
2043 #endif | 2055 #endif |