Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7461:a68799465b19
SSL: loading of connection-specific certificates.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 25 Feb 2019 16:41:44 +0300 |
parents | 77436d9951a1 |
children | 180df83473a4 |
comparison
equal
deleted
inserted
replaced
7460:77436d9951a1 | 7461:a68799465b19 |
---|---|
526 | 526 |
527 return NGX_OK; | 527 return NGX_OK; |
528 } | 528 } |
529 | 529 |
530 | 530 |
531 ngx_int_t | |
532 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, | |
533 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) | |
534 { | |
535 char *err; | |
536 X509 *x509; | |
537 EVP_PKEY *pkey; | |
538 STACK_OF(X509) *chain; | |
539 | |
540 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); | |
541 if (x509 == NULL) { | |
542 if (err != NULL) { | |
543 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
544 "cannot load certificate \"%s\": %s", | |
545 cert->data, err); | |
546 } | |
547 | |
548 return NGX_ERROR; | |
549 } | |
550 | |
551 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { | |
552 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
553 "SSL_use_certificate(\"%s\") failed", cert->data); | |
554 X509_free(x509); | |
555 sk_X509_pop_free(chain, X509_free); | |
556 return NGX_ERROR; | |
557 } | |
558 | |
559 X509_free(x509); | |
560 | |
561 #ifdef SSL_set0_chain | |
562 | |
563 /* | |
564 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, | |
565 * but this function is only called via certificate callback, | |
566 * which is only available in OpenSSL 1.0.2+ as well | |
567 */ | |
568 | |
569 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { | |
570 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
571 "SSL_set0_chain(\"%s\") failed", cert->data); | |
572 sk_X509_pop_free(chain, X509_free); | |
573 return NGX_ERROR; | |
574 } | |
575 | |
576 #endif | |
577 | |
578 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); | |
579 if (pkey == NULL) { | |
580 if (err != NULL) { | |
581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
582 "cannot load certificate key \"%s\": %s", | |
583 key->data, err); | |
584 } | |
585 | |
586 return NGX_ERROR; | |
587 } | |
588 | |
589 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { | |
590 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | |
591 "SSL_use_PrivateKey(\"%s\") failed", key->data); | |
592 EVP_PKEY_free(pkey); | |
593 return NGX_ERROR; | |
594 } | |
595 | |
596 EVP_PKEY_free(pkey); | |
597 | |
598 return NGX_OK; | |
599 } | |
600 | |
601 | |
531 static X509 * | 602 static X509 * |
532 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, | 603 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
533 STACK_OF(X509) **chain) | 604 STACK_OF(X509) **chain) |
534 { | 605 { |
535 BIO *bio; | 606 BIO *bio; |
2744 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING | 2815 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
2745 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ | 2816 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
2746 #endif | 2817 #endif |
2747 #ifdef SSL_R_INAPPROPRIATE_FALLBACK | 2818 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
2748 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ | 2819 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
2820 #endif | |
2821 #ifdef SSL_R_CERT_CB_ERROR | |
2822 || n == SSL_R_CERT_CB_ERROR /* 377 */ | |
2749 #endif | 2823 #endif |
2750 #ifdef SSL_R_VERSION_TOO_LOW | 2824 #ifdef SSL_R_VERSION_TOO_LOW |
2751 || n == SSL_R_VERSION_TOO_LOW /* 396 */ | 2825 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
2752 #endif | 2826 #endif |
2753 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | 2827 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |