Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 6812:a7ec59df0c4d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: added certificate name to warnings.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 05 Dec 2016 22:23:22 +0300
parents 5eb3309d0b9e
children 94586180fb41
comparison
equal deleted inserted replaced
6811:5eb3309d0b9e 6812:a7ec59df0c4d
28 28
29 SSL_CTX *ssl_ctx; 29 SSL_CTX *ssl_ctx;
30 30
31 X509 *cert; 31 X509 *cert;
32 X509 *issuer; 32 X509 *issuer;
33
34 u_char *name;
33 35
34 time_t valid; 36 time_t valid;
35 time_t refresh; 37 time_t refresh;
36 38
37 unsigned verify:1; 39 unsigned verify:1;
171 173
172 staple->ssl_ctx = ssl->ctx; 174 staple->ssl_ctx = ssl->ctx;
173 staple->timeout = 60000; 175 staple->timeout = 60000;
174 staple->verify = verify; 176 staple->verify = verify;
175 staple->cert = cert; 177 staple->cert = cert;
178 staple->name = X509_get_ex_data(staple->cert,
179 ngx_ssl_certificate_name_index);
176 180
177 if (file->len) { 181 if (file->len) {
178 /* use OCSP response from the file */ 182 /* use OCSP response from the file */
179 183
180 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { 184 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
352 return NGX_ERROR; 356 return NGX_ERROR;
353 } 357 }
354 358
355 if (rc == 0) { 359 if (rc == 0) {
356 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, 360 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
357 "\"ssl_stapling\" ignored, issuer certificate not found"); 361 "\"ssl_stapling\" ignored, "
362 "issuer certificate not found for certificate \"%s\"",
363 staple->name);
358 X509_STORE_CTX_free(store_ctx); 364 X509_STORE_CTX_free(store_ctx);
359 return NGX_DECLINED; 365 return NGX_DECLINED;
360 } 366 }
361 367
362 X509_STORE_CTX_free(store_ctx); 368 X509_STORE_CTX_free(store_ctx);
385 391
386 aia = X509_get1_ocsp(staple->cert); 392 aia = X509_get1_ocsp(staple->cert);
387 if (aia == NULL) { 393 if (aia == NULL) {
388 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, 394 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
389 "\"ssl_stapling\" ignored, " 395 "\"ssl_stapling\" ignored, "
390 "no OCSP responder URL in the certificate"); 396 "no OCSP responder URL in the certificate \"%s\"",
397 staple->name);
391 return NGX_DECLINED; 398 return NGX_DECLINED;
392 } 399 }
393 400
394 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 401 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
395 s = sk_OPENSSL_STRING_value(aia, 0); 402 s = sk_OPENSSL_STRING_value(aia, 0);
397 s = sk_value(aia, 0); 404 s = sk_value(aia, 0);
398 #endif 405 #endif
399 if (s == NULL) { 406 if (s == NULL) {
400 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, 407 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
401 "\"ssl_stapling\" ignored, " 408 "\"ssl_stapling\" ignored, "
402 "no OCSP responder URL in the certificate"); 409 "no OCSP responder URL in the certificate \"%s\"",
410 staple->name);
403 X509_email_free(aia); 411 X509_email_free(aia);
404 return NGX_DECLINED; 412 return NGX_DECLINED;
405 } 413 }
406 414
407 responder = &rsp; 415 responder = &rsp;
430 u.url.data += 7; 438 u.url.data += 7;
431 439
432 } else { 440 } else {
433 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, 441 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
434 "\"ssl_stapling\" ignored, " 442 "\"ssl_stapling\" ignored, "
435 "invalid URL prefix in OCSP responder \"%V\"", &u.url); 443 "invalid URL prefix in OCSP responder \"%V\" "
444 "in the certificate \"%s\"",
445 &u.url, staple->name);
436 return NGX_DECLINED; 446 return NGX_DECLINED;
437 } 447 }
438 448
439 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { 449 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
440 if (u.err) { 450 if (u.err) {
441 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, 451 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
442 "\"ssl_stapling\" ignored, " 452 "\"ssl_stapling\" ignored, "
443 "%s in OCSP responder \"%V\"", u.err, &u.url); 453 "%s in OCSP responder \"%V\" "
454 "in the certificate \"%s\"",
455 u.err, &u.url, staple->name);
444 return NGX_DECLINED; 456 return NGX_DECLINED;
445 } 457 }
446 458
447 return NGX_ERROR; 459 return NGX_ERROR;
448 } 460 }