diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2020-05-17 14:24:35 +0300 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2020-05-17 14:24:35 +0300 |
| commit | abdb9aebc6fa165cc2a77a555f309a4eec6947dd (patch) | |
| tree | af16d504a56bfd76a7391884c4b1effa21668241 /src | |
| parent | 3f2ac979eb3600fe285f184bfd30673e7c8de85a (diff) | |
| download | nginx-abdb9aebc6fa165cc2a77a555f309a4eec6947dd.tar.gz nginx-abdb9aebc6fa165cc2a77a555f309a4eec6947dd.zip | |
OCSP stapling: keep extra chain in the staple object.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl_stapling.c | 47 |
1 files changed, 18 insertions, 29 deletions
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c index b920d7129..9f52fba2f 100644 --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -30,6 +30,7 @@ typedef struct { X509 *cert; X509 *issuer; + STACK_OF(X509) *chain; u_char *name; @@ -48,6 +49,7 @@ struct ngx_ssl_ocsp_ctx_s { X509 *cert; X509 *issuer; + STACK_OF(X509) *chain; int status; time_t valid; @@ -179,6 +181,18 @@ ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, return NGX_ERROR; } +#ifdef SSL_CTRL_SELECT_CURRENT_CERT + /* OpenSSL 1.0.2+ */ + SSL_CTX_select_current_cert(ssl->ctx, cert); +#endif + +#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS + /* OpenSSL 1.0.1+ */ + SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); +#else + staple->chain = ssl->ctx->extra_certs; +#endif + staple->ssl_ctx = ssl->ctx; staple->timeout = 60000; staple->verify = verify; @@ -295,29 +309,16 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, *issuer; X509_STORE *store; X509_STORE_CTX *store_ctx; - STACK_OF(X509) *chain; cert = staple->cert; -#ifdef SSL_CTRL_SELECT_CURRENT_CERT - /* OpenSSL 1.0.2+ */ - SSL_CTX_select_current_cert(ssl->ctx, cert); -#endif - -#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS - /* OpenSSL 1.0.1+ */ - SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); -#else - chain = ssl->ctx->extra_certs; -#endif - - n = sk_X509_num(chain); + n = sk_X509_num(staple->chain); ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, "SSL get issuer: %d extra certs", n); for (i = 0; i < n; i++) { - issuer = sk_X509_value(chain, i); + issuer = sk_X509_value(staple->chain, i); if (X509_check_issued(issuer, cert) == X509_V_OK) { #if OPENSSL_VERSION_NUMBER >= 0x10100001L X509_up_ref(issuer); @@ -573,6 +574,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) ctx->ssl_ctx = staple->ssl_ctx; ctx->cert = staple->cert; ctx->issuer = staple->issuer; + ctx->chain = staple->chain; ctx->name = staple->name; ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); @@ -1720,7 +1722,6 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) size_t len; X509_STORE *store; const u_char *p; - STACK_OF(X509) *chain; OCSP_CERTID *id; OCSP_RESPONSE *ocsp; OCSP_BASICRESP *basic; @@ -1769,19 +1770,7 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) goto error; } -#ifdef SSL_CTRL_SELECT_CURRENT_CERT - /* OpenSSL 1.0.2+ */ - SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert); -#endif - -#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS - /* OpenSSL 1.0.1+ */ - SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain); -#else - chain = ctx->ssl_ctx->extra_certs; -#endif - - if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) { + if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, "OCSP_basic_verify() failed"); goto error; |