Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6812:a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 05 Dec 2016 22:23:22 +0300 |
parents | 5eb3309d0b9e |
children | 94586180fb41 |
comparison
equal
deleted
inserted
replaced
6811:5eb3309d0b9e | 6812:a7ec59df0c4d |
---|---|
28 | 28 |
29 SSL_CTX *ssl_ctx; | 29 SSL_CTX *ssl_ctx; |
30 | 30 |
31 X509 *cert; | 31 X509 *cert; |
32 X509 *issuer; | 32 X509 *issuer; |
33 | |
34 u_char *name; | |
33 | 35 |
34 time_t valid; | 36 time_t valid; |
35 time_t refresh; | 37 time_t refresh; |
36 | 38 |
37 unsigned verify:1; | 39 unsigned verify:1; |
171 | 173 |
172 staple->ssl_ctx = ssl->ctx; | 174 staple->ssl_ctx = ssl->ctx; |
173 staple->timeout = 60000; | 175 staple->timeout = 60000; |
174 staple->verify = verify; | 176 staple->verify = verify; |
175 staple->cert = cert; | 177 staple->cert = cert; |
178 staple->name = X509_get_ex_data(staple->cert, | |
179 ngx_ssl_certificate_name_index); | |
176 | 180 |
177 if (file->len) { | 181 if (file->len) { |
178 /* use OCSP response from the file */ | 182 /* use OCSP response from the file */ |
179 | 183 |
180 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { | 184 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
352 return NGX_ERROR; | 356 return NGX_ERROR; |
353 } | 357 } |
354 | 358 |
355 if (rc == 0) { | 359 if (rc == 0) { |
356 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | 360 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
357 "\"ssl_stapling\" ignored, issuer certificate not found"); | 361 "\"ssl_stapling\" ignored, " |
362 "issuer certificate not found for certificate \"%s\"", | |
363 staple->name); | |
358 X509_STORE_CTX_free(store_ctx); | 364 X509_STORE_CTX_free(store_ctx); |
359 return NGX_DECLINED; | 365 return NGX_DECLINED; |
360 } | 366 } |
361 | 367 |
362 X509_STORE_CTX_free(store_ctx); | 368 X509_STORE_CTX_free(store_ctx); |
385 | 391 |
386 aia = X509_get1_ocsp(staple->cert); | 392 aia = X509_get1_ocsp(staple->cert); |
387 if (aia == NULL) { | 393 if (aia == NULL) { |
388 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | 394 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
389 "\"ssl_stapling\" ignored, " | 395 "\"ssl_stapling\" ignored, " |
390 "no OCSP responder URL in the certificate"); | 396 "no OCSP responder URL in the certificate \"%s\"", |
397 staple->name); | |
391 return NGX_DECLINED; | 398 return NGX_DECLINED; |
392 } | 399 } |
393 | 400 |
394 #if OPENSSL_VERSION_NUMBER >= 0x10000000L | 401 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
395 s = sk_OPENSSL_STRING_value(aia, 0); | 402 s = sk_OPENSSL_STRING_value(aia, 0); |
397 s = sk_value(aia, 0); | 404 s = sk_value(aia, 0); |
398 #endif | 405 #endif |
399 if (s == NULL) { | 406 if (s == NULL) { |
400 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | 407 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
401 "\"ssl_stapling\" ignored, " | 408 "\"ssl_stapling\" ignored, " |
402 "no OCSP responder URL in the certificate"); | 409 "no OCSP responder URL in the certificate \"%s\"", |
410 staple->name); | |
403 X509_email_free(aia); | 411 X509_email_free(aia); |
404 return NGX_DECLINED; | 412 return NGX_DECLINED; |
405 } | 413 } |
406 | 414 |
407 responder = &rsp; | 415 responder = &rsp; |
430 u.url.data += 7; | 438 u.url.data += 7; |
431 | 439 |
432 } else { | 440 } else { |
433 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | 441 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
434 "\"ssl_stapling\" ignored, " | 442 "\"ssl_stapling\" ignored, " |
435 "invalid URL prefix in OCSP responder \"%V\"", &u.url); | 443 "invalid URL prefix in OCSP responder \"%V\" " |
444 "in the certificate \"%s\"", | |
445 &u.url, staple->name); | |
436 return NGX_DECLINED; | 446 return NGX_DECLINED; |
437 } | 447 } |
438 | 448 |
439 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { | 449 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
440 if (u.err) { | 450 if (u.err) { |
441 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | 451 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
442 "\"ssl_stapling\" ignored, " | 452 "\"ssl_stapling\" ignored, " |
443 "%s in OCSP responder \"%V\"", u.err, &u.url); | 453 "%s in OCSP responder \"%V\" " |
454 "in the certificate \"%s\"", | |
455 u.err, &u.url, staple->name); | |
444 return NGX_DECLINED; | 456 return NGX_DECLINED; |
445 } | 457 } |
446 | 458 |
447 return NGX_ERROR; | 459 return NGX_ERROR; |
448 } | 460 } |