# HG changeset patch
# User Frederik Schwan <frederik.schwan@linux.com>
# Date 1399288827 -7200
# Mon May 05 13:20:27 2014 +0200
# Node ID a1f71e35b4a851e1a2c8756f885683518665c528
# Parent 48c97d83ab7f0a3f641987fb32ace8af7720aefc
Add RFC 2560 "non-delegated" model where issuer is OCSP signee

diff -r 48c97d83ab7f -r a1f71e35b4a8 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Tue Apr 29 22:22:38 2014 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Mon May 05 13:20:27 2014 +0200
@@ -529,11 +529,11 @@
const
#endif
u_char *p;
- int n;
+ int n, i;
size_t len;
ngx_str_t response;
X509_STORE *store;
- STACK_OF(X509) *chain;
+ STACK_OF(X509) *chain, *issuer_st;
OCSP_CERTID *id;
OCSP_RESPONSE *ocsp;
OCSP_BASICRESP *basic;
@@ -589,13 +589,19 @@
#else
chain = staple->ssl_ctx->extra_certs;
#endif
+ issuer_st = sk_X509_new_null();
+ sk_X509_push(issuer_st, staple->issuer);
+ i = OCSP_basic_verify(basic, chain, store,
+ staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
+
+ if (i <= 0 && issuer_st){
+ i = OCSP_basic_verify(basic, issuer_st, store,OCSP_TRUSTOTHER);
+ if (i > 0) ERR_clear_error();
+ }

- if (OCSP_basic_verify(basic, chain, store,
- staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
- != 1)
- {
+ if(i <= 0){
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
- "OCSP_basic_verify() failed");
+ "OCSP_basic_verify() failed");
goto error;
}













_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel