mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

invalidate SSL session if there is no valid client certificate

Browse Source
This commit is contained in:
Igor Sysoev 2008-03-10 14:47:07 +00:00
parent fb14092fdc
commit 472233d0a3
3 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/event/ngx_event_openssl.c
View File

@ -1552,6 +1552,15 @@ done:
} }
void
ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
{
SSL_CTX_remove_session(ssl, sess);
ngx_ssl_remove_session(ssl, sess);
}
static void static void
ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
{ {
@ -1567,6 +1576,10 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
if (shm_zone == NULL) {
return;
}
cache = shm_zone->data; cache = shm_zone->data;
id = sess->session_id; id = sess->session_id;

1
src/event/ngx_event_openssl.h
View File

@ -105,6 +105,7 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags); ngx_uint_t flags);
void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
#define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection)
#define ngx_ssl_free_session SSL_SESSION_free #define ngx_ssl_free_session SSL_SESSION_free

8
src/http/ngx_http_request.c
View File

@ -1430,6 +1430,10 @@ ngx_http_process_request(ngx_http_request_t *r)
ngx_log_error(NGX_LOG_INFO, c->log, 0, ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)", "client SSL certificate verify error: (%l:%s)",
rc, X509_verify_cert_error_string(rc)); rc, X509_verify_cert_error_string(rc));
ngx_ssl_remove_cached_session(sscf->ssl.ctx,
(SSL_get0_session(c->ssl->connection)));
ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR); ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
return; return;
} }
@ -1439,6 +1443,10 @@ ngx_http_process_request(ngx_http_request_t *r)
{ {
ngx_log_error(NGX_LOG_INFO, c->log, 0, ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent no required SSL certificate"); "client sent no required SSL certificate");
ngx_ssl_remove_cached_session(sscf->ssl.ctx,
(SSL_get0_session(c->ssl->connection)));
ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT);
return; return;
} }