nginx: src/event/ngx_event_openssl

comparison src/event/ngx_event_openssl_stapling.c @ 6546:a2d5d45f1525

OCSP stapling: staple now extracted via SSL_get_certificate(). This makes it possible to properly return OCSP staple with multiple certificates configured. Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+. In older versions SSL_get_certificate() fails to return correct certificate when the certificate status callback is called.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 19 May 2016 14:46:32 +0300
parents	a873b4d9cd80
children	e222a97d46c1

comparison

equal deleted inserted replaced

-:a873b4d9cd80
+:a2d5d45f1525
 }
 done:
 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
-SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
 return NGX_OK;
 }
 static int
 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
 {
 int                  rc;
+X509                *cert;
 u_char              *p;
 ngx_connection_t    *c;
 ngx_ssl_stapling_t  *staple;
 c = ngx_ssl_get_connection(ssl_conn);
 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
 "SSL certificate status callback");
-staple = data;
 rc = SSL_TLSEXT_ERR_NOACK;
+cert = SSL_get_certificate(ssl_conn);
+staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
+if (staple == NULL) {
+return rc;
+}
 if (staple->staple.len
 && staple->valid >= ngx_time())
 {
 /* we have to copy ocsp response as OpenSSL will free it by itself */

Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 6546:a2d5d45f1525