mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 09:42:39 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

OCSP stapling: staple now stored in certificate, not SSL context.

Browse Source
This commit is contained in:
Maxim Dounin 2016-05-19 14:46:32 +03:00
parent 825289ff60
commit b4276f2447
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/event/ngx_event_openssl.c
View File

@ -187,11 +187,10 @@ ngx_ssl_init(ngx_log_t *log)
return NGX_ERROR; return NGX_ERROR;
} }
ngx_ssl_stapling_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
NULL);
if (ngx_ssl_stapling_index == -1) { if (ngx_ssl_stapling_index == -1) {
ngx_ssl_error(NGX_LOG_ALERT, log, 0, ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
"SSL_CTX_get_ex_new_index() failed");
return NGX_ERROR; return NGX_ERROR;
} }

19
src/event/ngx_event_openssl_stapling.c
View File

@ -122,6 +122,7 @@ ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
ngx_str_t *responder, ngx_uint_t verify) ngx_str_t *responder, ngx_uint_t verify)
{ {
X509 *cert;
ngx_int_t rc; ngx_int_t rc;
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
ngx_ssl_stapling_t *staple; ngx_ssl_stapling_t *staple;
@ -139,17 +140,17 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
cln->handler = ngx_ssl_stapling_cleanup; cln->handler = ngx_ssl_stapling_cleanup;
cln->data = staple; cln->data = staple;
if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple) cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
== 0)
{ if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
"SSL_CTX_set_ex_data() failed");
return NGX_ERROR; return NGX_ERROR;
} }
staple->ssl_ctx = ssl->ctx; staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000; staple->timeout = 60000;
staple->verify = verify; staple->verify = verify;
staple->cert = cert;
if (file->len) { if (file->len) {
/* use OCSP response from the file */ /* use OCSP response from the file */
@ -267,7 +268,7 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
X509_STORE_CTX *store_ctx; X509_STORE_CTX *store_ctx;
STACK_OF(X509) *chain; STACK_OF(X509) *chain;
cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); cert = staple->cert;
#if OPENSSL_VERSION_NUMBER >= 0x10001000L #if OPENSSL_VERSION_NUMBER >= 0x10001000L
SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
@ -292,7 +293,6 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: found %p in extra certs", issuer); "SSL get issuer: found %p in extra certs", issuer);
staple->cert = cert;
staple->issuer = issuer; staple->issuer = issuer;
return NGX_OK; return NGX_OK;
@ -341,7 +341,6 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: found %p in cert store", issuer); "SSL get issuer: found %p in cert store", issuer);
staple->cert = cert;
staple->issuer = issuer; staple->issuer = issuer;
return NGX_OK; return NGX_OK;
@ -439,9 +438,11 @@ ngx_int_t
ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
{ {
X509 *cert;
ngx_ssl_stapling_t *staple; ngx_ssl_stapling_t *staple;
staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
staple->resolver = resolver; staple->resolver = resolver;
staple->resolver_timeout = resolver_timeout; staple->resolver_timeout = resolver_timeout;