Mercurial > hg > nginx

diff src/http/modules/ngx_http_ssl_module.c @ 4879:4a804fd04e6c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: ssl_stapling_verify directive. OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 01 Oct 2012 12:53:11 +0000
parents 386a06a22c40
children e406c997470a
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -182,6 +182,13 @@ static ngx_command_t  ngx_http_ssl_comma
       offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
       NULL },
 
+    { ngx_string("ssl_stapling_verify"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
+      NULL },
+
       ngx_null_command
 };
 
@@ -370,6 +377,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t 
     sscf->builtin_session_cache = NGX_CONF_UNSET;
     sscf->session_timeout = NGX_CONF_UNSET;
     sscf->stapling = NGX_CONF_UNSET;
+    sscf->stapling_verify = NGX_CONF_UNSET;
 
     return sscf;
 }
@@ -424,6 +432,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
 
     ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+    ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
     ngx_conf_merge_str_value(conf->stapling_responder,
                          prev->stapling_responder, "");
@@ -565,8 +574,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
 
     if (conf->stapling) {
 
-        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder,
-                             &conf->stapling_file)
+        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+                             &conf->stapling_responder, conf->stapling_verify)
             != NGX_OK)
         {
             return NGX_CONF_ERROR;