Stream: fixed client certificate validation with OCSP.

author Sergey Kandaurov <pluknet@nginx.com>

Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)

committer Roman Arutyunyan <arutyunyan.roman@gmail.com>

Tue, 24 Mar 2026 18:33:23 +0000 (22:33 +0400)
author Sergey Kandaurov <pluknet@nginx.com>
Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)
committer Roman Arutyunyan <arutyunyan.roman@gmail.com>
Tue, 24 Mar 2026 18:33:23 +0000 (22:33 +0400)
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c

index ea0b112b883c6b08c98057bdda04aa1e13d966cc..85a74ce1d6a94532e58ef6963a29fb48a32862f8 100644 (file)
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -410,6 +410,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
      long                        rc;
      X509                       *cert;
      ngx_int_t                   rv;
+    const char                 *str;
      ngx_connection_t           *c;
      ngx_stream_ssl_srv_conf_t  *sscf;
  
@@ -460,6 +461,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
  
              X509_free(cert);
          }
+
+        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client SSL certificate verify error: %s", str);
+
+            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+            return NGX_ERROR;
+        }
      }
  
      return NGX_OK;
author	Sergey Kandaurov <pluknet@nginx.com>
	Tue, 17 Mar 2026 15:20:03 +0000 (19:20 +0400)
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>
	Tue, 24 Mar 2026 18:33:23 +0000 (22:33 +0400)