Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6546:a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
This makes it possible to properly return OCSP staple with multiple
certificates configured.
Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | a873b4d9cd80 |
children | e222a97d46c1 |
comparison
equal
deleted
inserted
replaced
6545:a873b4d9cd80 | 6546:a2d5d45f1525 |
---|---|
183 } | 183 } |
184 | 184 |
185 done: | 185 done: |
186 | 186 |
187 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); | 187 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
188 SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple); | |
189 | 188 |
190 return NGX_OK; | 189 return NGX_OK; |
191 } | 190 } |
192 | 191 |
193 | 192 |
453 | 452 |
454 static int | 453 static int |
455 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) | 454 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
456 { | 455 { |
457 int rc; | 456 int rc; |
457 X509 *cert; | |
458 u_char *p; | 458 u_char *p; |
459 ngx_connection_t *c; | 459 ngx_connection_t *c; |
460 ngx_ssl_stapling_t *staple; | 460 ngx_ssl_stapling_t *staple; |
461 | 461 |
462 c = ngx_ssl_get_connection(ssl_conn); | 462 c = ngx_ssl_get_connection(ssl_conn); |
463 | 463 |
464 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | 464 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
465 "SSL certificate status callback"); | 465 "SSL certificate status callback"); |
466 | 466 |
467 staple = data; | |
468 rc = SSL_TLSEXT_ERR_NOACK; | 467 rc = SSL_TLSEXT_ERR_NOACK; |
468 | |
469 cert = SSL_get_certificate(ssl_conn); | |
470 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | |
471 | |
472 if (staple == NULL) { | |
473 return rc; | |
474 } | |
469 | 475 |
470 if (staple->staple.len | 476 if (staple->staple.len |
471 && staple->valid >= ngx_time()) | 477 && staple->valid >= ngx_time()) |
472 { | 478 { |
473 /* we have to copy ocsp response as OpenSSL will free it by itself */ | 479 /* we have to copy ocsp response as OpenSSL will free it by itself */ |