# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1463658392 -10800
# Node ID a2d5d45f15250391d0a86c2def9d95fbf8a59ee9
# Parent  a873b4d9cd809a612ce95ef58173e0cd9430c80d
OCSP stapling: staple now extracted via SSL_get_certificate().

This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -185,7 +185,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
 done:
 
     SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
-    SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
 
     return NGX_OK;
 }
@@ -455,6 +454,7 @@ static int
 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
 {
     int                  rc;
+    X509                *cert;
     u_char              *p;
     ngx_connection_t    *c;
     ngx_ssl_stapling_t  *staple;
@@ -464,9 +464,15 @@ ngx_ssl_certificate_status_callback(ngx_
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "SSL certificate status callback");
 
-    staple = data;
     rc = SSL_TLSEXT_ERR_NOACK;
 
+    cert = SSL_get_certificate(ssl_conn);
+    staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
+
+    if (staple == NULL) {
+        return rc;
+    }
+
     if (staple->staple.len
         && staple->valid >= ngx_time())
     {