Mercurial > hg > nginx

diff src/event/ngx_event_openssl_stapling.c @ 6548:8a34e92d8ab5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: made it possible to iterate though all certificates. A pointer to a previously configured certificate now stored in a certificate. This makes it possible to iterate though all certificates configured in the SSL context. This is now used to configure OCSP stapling for all certificates, and in ngx_ssl_session_id_context(). As SSL_CTX_use_certificate() frees previously loaded certificate of the same type, and we have no way to find out if it's the case, X509_free() calls are now posponed till ngx_ssl_cleanup_ctx(). Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions. These are not yet available in all supported versions though, so it's easier to continue to use exdata for now.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 19 May 2016 14:46:32 +0300
parents e222a97d46c1
children d3302eb87a0c
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -126,12 +126,15 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
 {
     X509  *cert;
 
-    cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
-
-    if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
-        != NGX_OK)
+    for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+         cert;
+         cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
     {
-        return NGX_ERROR;
+        if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
+            != NGX_OK)
+        {
+            return NGX_ERROR;
+        }
     }
 
     SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
@@ -455,11 +458,14 @@ ngx_ssl_stapling_resolver(ngx_conf_t *cf
     X509                *cert;
     ngx_ssl_stapling_t  *staple;
 
-    cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
-    staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
-
-    staple->resolver = resolver;
-    staple->resolver_timeout = resolver_timeout;
+    for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+         cert;
+         cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
+    {
+        staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
+        staple->resolver = resolver;
+        staple->resolver_timeout = resolver_timeout;
+    }
 
     return NGX_OK;
 }