nginx: src/event/ngx_event_openssl.c comparison

comparison src/event/ngx_event_openssl.c @ 6549:d3302eb87a0c

SSL: support for per-certificate chains. The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now used instead of SSL_CTX_add_extra_chain_cert(). SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates in the context, while SSL_CTX_add0_chain_cert() only to a particular certificate. There is no difference unless multiple certificates are used, though it is important when using multiple certificates. Additionally, SSL_CTX_select_current_cert() is now called before using a chain to make sure correct chain will be returned.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 19 May 2016 14:46:32 +0300
parents	8a34e92d8ab5
children	51e1f047d15d

comparison

equal deleted inserted replaced

-:8a34e92d8ab5
+:d3302eb87a0c
 "PEM_read_bio_X509(\"%s\") failed", cert->data);
 BIO_free(bio);
 return NGX_ERROR;
 }
+#ifdef SSL_CTRL_CHAIN_CERT
+/*
+* SSL_CTX_add0_chain_cert() is needed to add chain to
+* a particular certificate when multiple certificates are used;
+* only available in OpenSSL 1.0.2+
+*/
+if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
+ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+"SSL_CTX_add0_chain_cert(\"%s\") failed",
+cert->data);
+X509_free(x509);
+BIO_free(bio);
+return NGX_ERROR;
+}
+#else
 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
 cert->data);
 X509_free(x509);
 BIO_free(bio);
 return NGX_ERROR;
 }
+#endif
 }
 BIO_free(bio);
 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {

Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 6549:d3302eb87a0c