mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: support for per-certificate chains.

Browse Source 
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().

SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate.  There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.

Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
This commit is contained in:
Maxim Dounin 2016-05-19 14:46:32 +03:00
parent e844475905
commit 798999b63d
2 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/event/ngx_event_openssl.c
View File

@ -408,6 +408,24 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
return NGX_ERROR; return NGX_ERROR;
} }
#ifdef SSL_CTRL_CHAIN_CERT
/*
* SSL_CTX_add0_chain_cert() is needed to add chain to
* a particular certificate when multiple certificates are used;
* only available in OpenSSL 1.0.2+
*/
if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_add0_chain_cert(\"%s\") failed",
cert->data);
X509_free(x509);
BIO_free(bio);
return NGX_ERROR;
}
#else
if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_add_extra_chain_cert(\"%s\") failed", "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
@ -416,6 +434,7 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
BIO_free(bio); BIO_free(bio);
return NGX_ERROR; return NGX_ERROR;
} }
#endif
} }
BIO_free(bio); BIO_free(bio);

16
src/event/ngx_event_openssl_stapling.c
View File

@ -287,7 +287,13 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
cert = staple->cert; cert = staple->cert;
#if OPENSSL_VERSION_NUMBER >= 0x10001000L #ifdef SSL_CTRL_SELECT_CURRENT_CERT
/* OpenSSL 1.0.2+ */
SSL_CTX_select_current_cert(ssl->ctx, cert);
#endif
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
#else #else
chain = ssl->ctx->extra_certs; chain = ssl->ctx->extra_certs;
@ -621,7 +627,13 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
goto error; goto error;
} }
#if OPENSSL_VERSION_NUMBER >= 0x10001000L #ifdef SSL_CTRL_SELECT_CURRENT_CERT
/* OpenSSL 1.0.2+ */
SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert);
#endif
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
#else #else
chain = staple->ssl_ctx->extra_certs; chain = staple->ssl_ctx->extra_certs;