Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 6549:d3302eb87a0c
SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().
SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate. There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.
Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | 8a34e92d8ab5 |
children | 51e1f047d15d |
comparison
equal
deleted
inserted
replaced
6548:8a34e92d8ab5 | 6549:d3302eb87a0c |
---|---|
406 "PEM_read_bio_X509(\"%s\") failed", cert->data); | 406 "PEM_read_bio_X509(\"%s\") failed", cert->data); |
407 BIO_free(bio); | 407 BIO_free(bio); |
408 return NGX_ERROR; | 408 return NGX_ERROR; |
409 } | 409 } |
410 | 410 |
411 #ifdef SSL_CTRL_CHAIN_CERT | |
412 | |
413 /* | |
414 * SSL_CTX_add0_chain_cert() is needed to add chain to | |
415 * a particular certificate when multiple certificates are used; | |
416 * only available in OpenSSL 1.0.2+ | |
417 */ | |
418 | |
419 if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) { | |
420 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
421 "SSL_CTX_add0_chain_cert(\"%s\") failed", | |
422 cert->data); | |
423 X509_free(x509); | |
424 BIO_free(bio); | |
425 return NGX_ERROR; | |
426 } | |
427 | |
428 #else | |
411 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { | 429 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 430 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
413 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", | 431 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
414 cert->data); | 432 cert->data); |
415 X509_free(x509); | 433 X509_free(x509); |
416 BIO_free(bio); | 434 BIO_free(bio); |
417 return NGX_ERROR; | 435 return NGX_ERROR; |
418 } | 436 } |
437 #endif | |
419 } | 438 } |
420 | 439 |
421 BIO_free(bio); | 440 BIO_free(bio); |
422 | 441 |
423 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { | 442 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |