Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6549:d3302eb87a0c
SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().
SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate. There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.
Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | 8a34e92d8ab5 |
| children | b3b7e33083ac |
comparison
equal
deleted
inserted
replaced
| 6548:8a34e92d8ab5 | 6549:d3302eb87a0c |
|---|---|
| 285 X509_STORE_CTX *store_ctx; | 285 X509_STORE_CTX *store_ctx; |
| 286 STACK_OF(X509) *chain; | 286 STACK_OF(X509) *chain; |
| 287 | 287 |
| 288 cert = staple->cert; | 288 cert = staple->cert; |
| 289 | 289 |
| 290 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 290 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
| 291 /* OpenSSL 1.0.2+ */ | |
| 292 SSL_CTX_select_current_cert(ssl->ctx, cert); | |
| 293 #endif | |
| 294 | |
| 295 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
| 296 /* OpenSSL 1.0.1+ */ | |
| 291 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 297 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
| 292 #else | 298 #else |
| 293 chain = ssl->ctx->extra_certs; | 299 chain = ssl->ctx->extra_certs; |
| 294 #endif | 300 #endif |
| 295 | 301 |
| 619 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, | 625 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
| 620 "SSL_CTX_get_cert_store() failed"); | 626 "SSL_CTX_get_cert_store() failed"); |
| 621 goto error; | 627 goto error; |
| 622 } | 628 } |
| 623 | 629 |
| 624 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 630 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
| 631 /* OpenSSL 1.0.2+ */ | |
| 632 SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert); | |
| 633 #endif | |
| 634 | |
| 635 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
| 636 /* OpenSSL 1.0.1+ */ | |
| 625 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 637 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
| 626 #else | 638 #else |
| 627 chain = staple->ssl_ctx->extra_certs; | 639 chain = staple->ssl_ctx->extra_certs; |
| 628 #endif | 640 #endif |
| 629 | 641 |