Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7654:b56f725dd4bb
OCSP: certificate status cache.
When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.
New directive ssl_ocsp_cache is added to configure the cache.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Fri, 22 May 2020 17:25:27 +0300 |
| parents | 8409f9df6219 |
| children | 3bff3f397c05 7995cd199b52 |
comparison
equal
deleted
inserted
replaced
| 7653:8409f9df6219 | 7654:b56f725dd4bb |
|---|---|
| 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, | 47 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, |
| 48 void *conf); | 48 void *conf); |
| 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, | 49 static char *ngx_http_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, |
| 50 void *conf); | 50 void *conf); |
| 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 51 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
| 52 void *conf); | |
| 53 static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
| 52 void *conf); | 54 void *conf); |
| 53 | 55 |
| 54 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); | 56 static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); |
| 55 | 57 |
| 56 | 58 |
| 232 { ngx_string("ssl_ocsp_responder"), | 234 { ngx_string("ssl_ocsp_responder"), |
| 233 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 235 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
| 234 ngx_conf_set_str_slot, | 236 ngx_conf_set_str_slot, |
| 235 NGX_HTTP_SRV_CONF_OFFSET, | 237 NGX_HTTP_SRV_CONF_OFFSET, |
| 236 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), | 238 offsetof(ngx_http_ssl_srv_conf_t, ocsp_responder), |
| 239 NULL }, | |
| 240 | |
| 241 { ngx_string("ssl_ocsp_cache"), | |
| 242 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | |
| 243 ngx_http_ssl_ocsp_cache, | |
| 244 NGX_HTTP_SRV_CONF_OFFSET, | |
| 245 0, | |
| 237 NULL }, | 246 NULL }, |
| 238 | 247 |
| 239 { ngx_string("ssl_stapling"), | 248 { ngx_string("ssl_stapling"), |
| 240 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 249 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 241 ngx_conf_set_flag_slot, | 250 ngx_conf_set_flag_slot, |
| 600 sscf->builtin_session_cache = NGX_CONF_UNSET; | 609 sscf->builtin_session_cache = NGX_CONF_UNSET; |
| 601 sscf->session_timeout = NGX_CONF_UNSET; | 610 sscf->session_timeout = NGX_CONF_UNSET; |
| 602 sscf->session_tickets = NGX_CONF_UNSET; | 611 sscf->session_tickets = NGX_CONF_UNSET; |
| 603 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; | 612 sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; |
| 604 sscf->ocsp = NGX_CONF_UNSET_UINT; | 613 sscf->ocsp = NGX_CONF_UNSET_UINT; |
| 614 sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; | |
| 605 sscf->stapling = NGX_CONF_UNSET; | 615 sscf->stapling = NGX_CONF_UNSET; |
| 606 sscf->stapling_verify = NGX_CONF_UNSET; | 616 sscf->stapling_verify = NGX_CONF_UNSET; |
| 607 | 617 |
| 608 return sscf; | 618 return sscf; |
| 609 } | 619 } |
| 665 | 675 |
| 666 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); | 676 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); |
| 667 | 677 |
| 668 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); | 678 ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0); |
| 669 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); | 679 ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, ""); |
| 680 ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, | |
| 681 prev->ocsp_cache_zone, NULL); | |
| 670 | 682 |
| 671 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); | 683 ngx_conf_merge_value(conf->stapling, prev->stapling, 0); |
| 672 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); | 684 ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0); |
| 673 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); | 685 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); |
| 674 ngx_conf_merge_str_value(conf->stapling_responder, | 686 ngx_conf_merge_str_value(conf->stapling_responder, |
| 836 "\"ssl_ocsp\" is incompatible with " | 848 "\"ssl_ocsp\" is incompatible with " |
| 837 "\"ssl_verify_client optional_no_ca\""); | 849 "\"ssl_verify_client optional_no_ca\""); |
| 838 return NGX_CONF_ERROR; | 850 return NGX_CONF_ERROR; |
| 839 } | 851 } |
| 840 | 852 |
| 841 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp) | 853 if (ngx_ssl_ocsp(cf, &conf->ssl, &conf->ocsp_responder, conf->ocsp, |
| 854 conf->ocsp_cache_zone) | |
| 842 != NGX_OK) | 855 != NGX_OK) |
| 843 { | 856 { |
| 844 return NGX_CONF_ERROR; | 857 return NGX_CONF_ERROR; |
| 845 } | 858 } |
| 846 } | 859 } |
| 1136 | 1149 |
| 1137 invalid: | 1150 invalid: |
| 1138 | 1151 |
| 1139 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | 1152 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
| 1140 "invalid session cache \"%V\"", &value[i]); | 1153 "invalid session cache \"%V\"", &value[i]); |
| 1154 | |
| 1155 return NGX_CONF_ERROR; | |
| 1156 } | |
| 1157 | |
| 1158 | |
| 1159 static char * | |
| 1160 ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
| 1161 { | |
| 1162 ngx_http_ssl_srv_conf_t *sscf = conf; | |
| 1163 | |
| 1164 size_t len; | |
| 1165 ngx_int_t n; | |
| 1166 ngx_str_t *value, name, size; | |
| 1167 ngx_uint_t j; | |
| 1168 | |
| 1169 if (sscf->ocsp_cache_zone != NGX_CONF_UNSET_PTR) { | |
| 1170 return "is duplicate"; | |
| 1171 } | |
| 1172 | |
| 1173 value = cf->args->elts; | |
| 1174 | |
| 1175 if (ngx_strcmp(value[1].data, "off") == 0) { | |
| 1176 sscf->ocsp_cache_zone = NULL; | |
| 1177 return NGX_CONF_OK; | |
| 1178 } | |
| 1179 | |
| 1180 if (value[1].len <= sizeof("shared:") - 1 | |
| 1181 || ngx_strncmp(value[1].data, "shared:", sizeof("shared:") - 1) != 0) | |
| 1182 { | |
| 1183 goto invalid; | |
| 1184 } | |
| 1185 | |
| 1186 len = 0; | |
| 1187 | |
| 1188 for (j = sizeof("shared:") - 1; j < value[1].len; j++) { | |
| 1189 if (value[1].data[j] == ':') { | |
| 1190 break; | |
| 1191 } | |
| 1192 | |
| 1193 len++; | |
| 1194 } | |
| 1195 | |
| 1196 if (len == 0) { | |
| 1197 goto invalid; | |
| 1198 } | |
| 1199 | |
| 1200 name.len = len; | |
| 1201 name.data = value[1].data + sizeof("shared:") - 1; | |
| 1202 | |
| 1203 size.len = value[1].len - j - 1; | |
| 1204 size.data = name.data + len + 1; | |
| 1205 | |
| 1206 n = ngx_parse_size(&size); | |
| 1207 | |
| 1208 if (n == NGX_ERROR) { | |
| 1209 goto invalid; | |
| 1210 } | |
| 1211 | |
| 1212 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
| 1213 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 1214 "OCSP cache \"%V\" is too small", &value[1]); | |
| 1215 | |
| 1216 return NGX_CONF_ERROR; | |
| 1217 } | |
| 1218 | |
| 1219 sscf->ocsp_cache_zone = ngx_shared_memory_add(cf, &name, n, | |
| 1220 &ngx_http_ssl_module_ctx); | |
| 1221 if (sscf->ocsp_cache_zone == NULL) { | |
| 1222 return NGX_CONF_ERROR; | |
| 1223 } | |
| 1224 | |
| 1225 sscf->ocsp_cache_zone->init = ngx_ssl_ocsp_cache_init; | |
| 1226 | |
| 1227 return NGX_CONF_OK; | |
| 1228 | |
| 1229 invalid: | |
| 1230 | |
| 1231 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
| 1232 "invalid OCSP cache \"%V\"", &value[1]); | |
| 1141 | 1233 |
| 1142 return NGX_CONF_ERROR; | 1234 return NGX_CONF_ERROR; |
| 1143 } | 1235 } |
| 1144 | 1236 |
| 1145 | 1237 |