Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6549:d3302eb87a0c
SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().
SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate. There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.
Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | 8a34e92d8ab5 |
children | b3b7e33083ac |
comparison
equal
deleted
inserted
replaced
6548:8a34e92d8ab5 | 6549:d3302eb87a0c |
---|---|
285 X509_STORE_CTX *store_ctx; | 285 X509_STORE_CTX *store_ctx; |
286 STACK_OF(X509) *chain; | 286 STACK_OF(X509) *chain; |
287 | 287 |
288 cert = staple->cert; | 288 cert = staple->cert; |
289 | 289 |
290 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 290 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
291 /* OpenSSL 1.0.2+ */ | |
292 SSL_CTX_select_current_cert(ssl->ctx, cert); | |
293 #endif | |
294 | |
295 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
296 /* OpenSSL 1.0.1+ */ | |
291 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 297 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
292 #else | 298 #else |
293 chain = ssl->ctx->extra_certs; | 299 chain = ssl->ctx->extra_certs; |
294 #endif | 300 #endif |
295 | 301 |
619 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, | 625 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
620 "SSL_CTX_get_cert_store() failed"); | 626 "SSL_CTX_get_cert_store() failed"); |
621 goto error; | 627 goto error; |
622 } | 628 } |
623 | 629 |
624 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 630 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
631 /* OpenSSL 1.0.2+ */ | |
632 SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert); | |
633 #endif | |
634 | |
635 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
636 /* OpenSSL 1.0.1+ */ | |
625 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); | 637 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
626 #else | 638 #else |
627 chain = staple->ssl_ctx->extra_certs; | 639 chain = staple->ssl_ctx->extra_certs; |
628 #endif | 640 #endif |
629 | 641 |