Stream: fixed client certificate validation with OCSP.

author Sergey Kandaurov <pluknet@nginx.com>

Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)

committer Roman Arutyunyan <arutyunyan.roman@gmail.com>

Tue, 24 Mar 2026 15:28:20 +0000 (19:28 +0400)
author Sergey Kandaurov <pluknet@nginx.com>
Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)
committer Roman Arutyunyan <arutyunyan.roman@gmail.com>
Tue, 24 Mar 2026 15:28:20 +0000 (19:28 +0400)
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c

index b7e5db449541147c0db7a62ff0584801ea42a890..0e17cff4d96eba8b0d6aa8b5b492311213ce7e1b 100644 (file)
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -437,6 +437,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
      long                        rc;
      X509                       *cert;
      ngx_int_t                   rv;
+    const char                 *str;
      ngx_connection_t           *c;
      ngx_stream_ssl_srv_conf_t  *sscf;
  
@@ -487,6 +488,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
  
              X509_free(cert);
          }
+
+        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client SSL certificate verify error: %s", str);
+
+            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+            return NGX_ERROR;
+        }
      }
  
      return NGX_OK;
author	Sergey Kandaurov <pluknet@nginx.com>
	Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>
	Tue, 24 Mar 2026 15:28:20 +0000 (19:28 +0400)