Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6548:8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
A pointer to a previously configured certificate now stored in a certificate.
This makes it possible to iterate though all certificates configured in
the SSL context. This is now used to configure OCSP stapling for all
certificates, and in ngx_ssl_session_id_context().
As SSL_CTX_use_certificate() frees previously loaded certificate of the same
type, and we have no way to find out if it's the case, X509_free() calls
are now posponed till ngx_ssl_cleanup_ctx().
Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata
using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions.
These are not yet available in all supported versions though, so it's easier
to continue to use exdata for now.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | e222a97d46c1 |
| children | d3302eb87a0c |
comparison
equal
deleted
inserted
replaced
| 6547:e222a97d46c1 | 6548:8a34e92d8ab5 |
|---|---|
| 124 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, | 124 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
| 125 ngx_str_t *responder, ngx_uint_t verify) | 125 ngx_str_t *responder, ngx_uint_t verify) |
| 126 { | 126 { |
| 127 X509 *cert; | 127 X509 *cert; |
| 128 | 128 |
| 129 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 129 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
| 130 | 130 cert; |
| 131 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) | 131 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
| 132 != NGX_OK) | |
| 133 { | 132 { |
| 134 return NGX_ERROR; | 133 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
| 134 != NGX_OK) | |
| 135 { | |
| 136 return NGX_ERROR; | |
| 137 } | |
| 135 } | 138 } |
| 136 | 139 |
| 137 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); | 140 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
| 138 | 141 |
| 139 return NGX_OK; | 142 return NGX_OK; |
| 453 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) | 456 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
| 454 { | 457 { |
| 455 X509 *cert; | 458 X509 *cert; |
| 456 ngx_ssl_stapling_t *staple; | 459 ngx_ssl_stapling_t *staple; |
| 457 | 460 |
| 458 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 461 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
| 459 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | 462 cert; |
| 460 | 463 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
| 461 staple->resolver = resolver; | 464 { |
| 462 staple->resolver_timeout = resolver_timeout; | 465 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
| 466 staple->resolver = resolver; | |
| 467 staple->resolver_timeout = resolver_timeout; | |
| 468 } | |
| 463 | 469 |
| 464 return NGX_OK; | 470 return NGX_OK; |
| 465 } | 471 } |
| 466 | 472 |
| 467 | 473 |