Mercurial > hg > nginx

diff src/event/ngx_event_openssl_stapling.c @ 6549:d3302eb87a0c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: support for per-certificate chains. The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now used instead of SSL_CTX_add_extra_chain_cert(). SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates in the context, while SSL_CTX_add0_chain_cert() only to a particular certificate. There is no difference unless multiple certificates are used, though it is important when using multiple certificates. Additionally, SSL_CTX_select_current_cert() is now called before using a chain to make sure correct chain will be returned.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 19 May 2016 14:46:32 +0300
parents 8a34e92d8ab5
children b3b7e33083ac
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -287,7 +287,13 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
 
     cert = staple->cert;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+    /* OpenSSL 1.0.2+ */
+    SSL_CTX_select_current_cert(ssl->ctx, cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+    /* OpenSSL 1.0.1+ */
     SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
 #else
     chain = ssl->ctx->extra_certs;
@@ -621,7 +627,13 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
         goto error;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+    /* OpenSSL 1.0.2+ */
+    SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+    /* OpenSSL 1.0.1+ */
     SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
 #else
     chain = staple->ssl_ctx->extra_certs;