mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

OCSP stapling: ssl_stapling_verify directive.

Browse Source 
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
This commit is contained in:
Maxim Dounin 2012-10-01 12:53:11 +00:00
parent 3ebbb7d521
commit bec2cc5286
4 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/event/ngx_event_openssl.h
View File

@ -106,7 +106,7 @@ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth); ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *responder, ngx_str_t *file); ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length); RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);

13
src/event/ngx_event_openssl_stapling.c
View File

@ -33,7 +33,8 @@ typedef struct {
time_t valid; time_t valid;
ngx_uint_t loading; /* unsigned:1 */ unsigned verify:1;
unsigned loading:1;
} ngx_ssl_stapling_t; } ngx_ssl_stapling_t;
@ -114,8 +115,8 @@ static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len);
ngx_int_t ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
ngx_str_t *file) ngx_str_t *responder, ngx_uint_t verify)
{ {
ngx_int_t rc; ngx_int_t rc;
ngx_pool_cleanup_t *cln; ngx_pool_cleanup_t *cln;
@ -144,6 +145,7 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
staple->ssl_ctx = ssl->ctx; staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000; staple->timeout = 60000;
staple->verify = verify;
if (file->len) { if (file->len) {
/* use OCSP response from the file */ /* use OCSP response from the file */
@ -588,7 +590,10 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
chain = staple->ssl_ctx->extra_certs; chain = staple->ssl_ctx->extra_certs;
#endif #endif
if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { if (OCSP_basic_verify(basic, chain, store,
staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
!= 1)
{
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed"); "OCSP_basic_verify() failed");
goto error; goto error;

13
src/http/modules/ngx_http_ssl_module.c
View File

@ -182,6 +182,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
NULL }, NULL },
{ ngx_string("ssl_stapling_verify"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
NULL },
ngx_null_command ngx_null_command
}; };
@ -370,6 +377,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
sscf->builtin_session_cache = NGX_CONF_UNSET; sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET; sscf->session_timeout = NGX_CONF_UNSET;
sscf->stapling = NGX_CONF_UNSET; sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
return sscf; return sscf;
} }
@ -424,6 +432,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
ngx_conf_merge_value(conf->stapling, prev->stapling, 0); ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
ngx_conf_merge_str_value(conf->stapling_responder, ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, ""); prev->stapling_responder, "");
@ -565,8 +574,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->stapling) { if (conf->stapling) {
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder, if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
&conf->stapling_file) &conf->stapling_responder, conf->stapling_verify)
!= NGX_OK) != NGX_OK)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;

1
src/http/modules/ngx_http_ssl_module.h
View File

@ -43,6 +43,7 @@ typedef struct {
ngx_shm_zone_t *shm_zone; ngx_shm_zone_t *shm_zone;
ngx_flag_t stapling; ngx_flag_t stapling;
ngx_flag_t stapling_verify;
ngx_str_t stapling_file; ngx_str_t stapling_file;
ngx_str_t stapling_responder; ngx_str_t stapling_responder;