mirror of
https://github.com/nginx/nginx.git
synced 2025-01-05 23:07:49 +08:00
bec2cc5286
OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients.
59 lines
1.4 KiB
C
59 lines
1.4 KiB
C
|
|
/*
|
|
* Copyright (C) Igor Sysoev
|
|
* Copyright (C) Nginx, Inc.
|
|
*/
|
|
|
|
|
|
#ifndef _NGX_HTTP_SSL_H_INCLUDED_
|
|
#define _NGX_HTTP_SSL_H_INCLUDED_
|
|
|
|
|
|
#include <ngx_config.h>
|
|
#include <ngx_core.h>
|
|
#include <ngx_http.h>
|
|
|
|
|
|
typedef struct {
|
|
ngx_flag_t enable;
|
|
|
|
ngx_ssl_t ssl;
|
|
|
|
ngx_flag_t prefer_server_ciphers;
|
|
|
|
ngx_uint_t protocols;
|
|
|
|
ngx_uint_t verify;
|
|
ngx_uint_t verify_depth;
|
|
|
|
ssize_t builtin_session_cache;
|
|
|
|
time_t session_timeout;
|
|
|
|
ngx_str_t certificate;
|
|
ngx_str_t certificate_key;
|
|
ngx_str_t dhparam;
|
|
ngx_str_t ecdh_curve;
|
|
ngx_str_t client_certificate;
|
|
ngx_str_t trusted_certificate;
|
|
ngx_str_t crl;
|
|
|
|
ngx_str_t ciphers;
|
|
|
|
ngx_shm_zone_t *shm_zone;
|
|
|
|
ngx_flag_t stapling;
|
|
ngx_flag_t stapling_verify;
|
|
ngx_str_t stapling_file;
|
|
ngx_str_t stapling_responder;
|
|
|
|
u_char *file;
|
|
ngx_uint_t line;
|
|
} ngx_http_ssl_srv_conf_t;
|
|
|
|
|
|
extern ngx_module_t ngx_http_ssl_module;
|
|
|
|
|
|
#endif /* _NGX_HTTP_SSL_H_INCLUDED_ */
|