Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6548:8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
A pointer to a previously configured certificate now stored in a certificate.
This makes it possible to iterate though all certificates configured in
the SSL context. This is now used to configure OCSP stapling for all
certificates, and in ngx_ssl_session_id_context().
As SSL_CTX_use_certificate() frees previously loaded certificate of the same
type, and we have no way to find out if it's the case, X509_free() calls
are now posponed till ngx_ssl_cleanup_ctx().
Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata
using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions.
These are not yet available in all supported versions though, so it's easier
to continue to use exdata for now.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | e222a97d46c1 |
children | d3302eb87a0c |
comparison
equal
deleted
inserted
replaced
6547:e222a97d46c1 | 6548:8a34e92d8ab5 |
---|---|
124 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, | 124 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
125 ngx_str_t *responder, ngx_uint_t verify) | 125 ngx_str_t *responder, ngx_uint_t verify) |
126 { | 126 { |
127 X509 *cert; | 127 X509 *cert; |
128 | 128 |
129 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 129 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
130 | 130 cert; |
131 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) | 131 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
132 != NGX_OK) | |
133 { | 132 { |
134 return NGX_ERROR; | 133 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
134 != NGX_OK) | |
135 { | |
136 return NGX_ERROR; | |
137 } | |
135 } | 138 } |
136 | 139 |
137 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); | 140 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
138 | 141 |
139 return NGX_OK; | 142 return NGX_OK; |
453 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) | 456 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
454 { | 457 { |
455 X509 *cert; | 458 X509 *cert; |
456 ngx_ssl_stapling_t *staple; | 459 ngx_ssl_stapling_t *staple; |
457 | 460 |
458 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 461 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
459 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | 462 cert; |
460 | 463 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
461 staple->resolver = resolver; | 464 { |
462 staple->resolver_timeout = resolver_timeout; | 465 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
466 staple->resolver = resolver; | |
467 staple->resolver_timeout = resolver_timeout; | |
468 } | |
463 | 469 |
464 return NGX_OK; | 470 return NGX_OK; |
465 } | 471 } |
466 | 472 |
467 | 473 |