Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6545:a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | 458e01ef46e6 |
| children | a2d5d45f1525 |
comparison
equal
deleted
inserted
replaced
| 6544:458e01ef46e6 | 6545:a873b4d9cd80 |
|---|---|
| 120 | 120 |
| 121 ngx_int_t | 121 ngx_int_t |
| 122 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, | 122 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
| 123 ngx_str_t *responder, ngx_uint_t verify) | 123 ngx_str_t *responder, ngx_uint_t verify) |
| 124 { | 124 { |
| 125 X509 *cert; | |
| 125 ngx_int_t rc; | 126 ngx_int_t rc; |
| 126 ngx_pool_cleanup_t *cln; | 127 ngx_pool_cleanup_t *cln; |
| 127 ngx_ssl_stapling_t *staple; | 128 ngx_ssl_stapling_t *staple; |
| 128 | 129 |
| 129 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); | 130 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
| 137 } | 138 } |
| 138 | 139 |
| 139 cln->handler = ngx_ssl_stapling_cleanup; | 140 cln->handler = ngx_ssl_stapling_cleanup; |
| 140 cln->data = staple; | 141 cln->data = staple; |
| 141 | 142 |
| 142 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple) | 143 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
| 143 == 0) | 144 |
| 144 { | 145 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
| 145 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 146 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
| 146 "SSL_CTX_set_ex_data() failed"); | |
| 147 return NGX_ERROR; | 147 return NGX_ERROR; |
| 148 } | 148 } |
| 149 | 149 |
| 150 staple->ssl_ctx = ssl->ctx; | 150 staple->ssl_ctx = ssl->ctx; |
| 151 staple->timeout = 60000; | 151 staple->timeout = 60000; |
| 152 staple->verify = verify; | 152 staple->verify = verify; |
| 153 staple->cert = cert; | |
| 153 | 154 |
| 154 if (file->len) { | 155 if (file->len) { |
| 155 /* use OCSP response from the file */ | 156 /* use OCSP response from the file */ |
| 156 | 157 |
| 157 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { | 158 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
| 265 X509 *cert, *issuer; | 266 X509 *cert, *issuer; |
| 266 X509_STORE *store; | 267 X509_STORE *store; |
| 267 X509_STORE_CTX *store_ctx; | 268 X509_STORE_CTX *store_ctx; |
| 268 STACK_OF(X509) *chain; | 269 STACK_OF(X509) *chain; |
| 269 | 270 |
| 270 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 271 cert = staple->cert; |
| 271 | 272 |
| 272 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 273 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
| 273 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 274 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
| 274 #else | 275 #else |
| 275 chain = ssl->ctx->extra_certs; | 276 chain = ssl->ctx->extra_certs; |
| 290 #endif | 291 #endif |
| 291 | 292 |
| 292 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, | 293 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
| 293 "SSL get issuer: found %p in extra certs", issuer); | 294 "SSL get issuer: found %p in extra certs", issuer); |
| 294 | 295 |
| 295 staple->cert = cert; | |
| 296 staple->issuer = issuer; | 296 staple->issuer = issuer; |
| 297 | 297 |
| 298 return NGX_OK; | 298 return NGX_OK; |
| 299 } | 299 } |
| 300 } | 300 } |
| 339 X509_STORE_CTX_free(store_ctx); | 339 X509_STORE_CTX_free(store_ctx); |
| 340 | 340 |
| 341 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, | 341 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
| 342 "SSL get issuer: found %p in cert store", issuer); | 342 "SSL get issuer: found %p in cert store", issuer); |
| 343 | 343 |
| 344 staple->cert = cert; | |
| 345 staple->issuer = issuer; | 344 staple->issuer = issuer; |
| 346 | 345 |
| 347 return NGX_OK; | 346 return NGX_OK; |
| 348 } | 347 } |
| 349 | 348 |
| 437 | 436 |
| 438 ngx_int_t | 437 ngx_int_t |
| 439 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, | 438 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 440 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) | 439 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
| 441 { | 440 { |
| 441 X509 *cert; | |
| 442 ngx_ssl_stapling_t *staple; | 442 ngx_ssl_stapling_t *staple; |
| 443 | 443 |
| 444 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | 444 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
| 445 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | |
| 445 | 446 |
| 446 staple->resolver = resolver; | 447 staple->resolver = resolver; |
| 447 staple->resolver_timeout = resolver_timeout; | 448 staple->resolver_timeout = resolver_timeout; |
| 448 | 449 |
| 449 return NGX_OK; | 450 return NGX_OK; |