Welcome! Log In Create A New Profile

Advanced

[nginx] svn commit: r4873 - in trunk/src: event http/modules

Previous Message Next Message
Forum List Message List New Topic Print View
Anonymous User
October 01, 2012 08:40AM
Author: mdounin
Date: 2012-10-01 12:39:36 +0000 (Mon, 01 Oct 2012)
New Revision: 4873
URL: http://trac.nginx.org/nginx/changeset/4873/nginx

Log:
OCSP stapling: ssl_trusted_certificate directive.

The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification. In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).


Modified:
trunk/src/event/ngx_event_openssl.c
trunk/src/event/ngx_event_openssl.h
trunk/src/http/modules/ngx_http_ssl_module.c
trunk/src/http/modules/ngx_http_ssl_module.h

Modified: trunk/src/event/ngx_event_openssl.c
===================================================================
--- trunk/src/event/ngx_event_openssl.c 2012-09-28 18:28:38 UTC (rev 4872)
+++ trunk/src/event/ngx_event_openssl.c 2012-10-01 12:39:36 UTC (rev 4873)
@@ -297,6 +297,33 @@


ngx_int_t
+ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
+ ngx_int_t depth)
+{
+ SSL_CTX_set_verify_depth(ssl->ctx, depth);
+
+ if (cert->len == 0) {
+ return NGX_OK;
+ }
+
+ if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
+ == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_load_verify_locations(\"%s\") failed",
+ cert->data);
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
{
X509_STORE *store;

Modified: trunk/src/event/ngx_event_openssl.h
===================================================================
--- trunk/src/event/ngx_event_openssl.h 2012-09-28 18:28:38 UTC (rev 4872)
+++ trunk/src/event/ngx_event_openssl.h 2012-10-01 12:39:36 UTC (rev 4873)
@@ -101,6 +101,8 @@
ngx_str_t *cert, ngx_str_t *key);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
+ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);

Modified: trunk/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.c 2012-09-28 18:28:38 UTC (rev 4872)
+++ trunk/src/http/modules/ngx_http_ssl_module.c 2012-10-01 12:39:36 UTC (rev 4873)
@@ -124,6 +124,13 @@
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
NULL },

+ { ngx_string("ssl_trusted_certificate"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
+ NULL },
+
{ ngx_string("ssl_prefer_server_ciphers"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -325,6 +332,7 @@
* sscf->dhparam = { 0, NULL };
* sscf->ecdh_curve = { 0, NULL };
* sscf->client_certificate = { 0, NULL };
+ * sscf->trusted_certificate = { 0, NULL };
* sscf->crl = { 0, NULL };
* sscf->ciphers = { 0, NULL };
* sscf->shm_zone = NULL;
@@ -380,6 +388,8 @@

ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
"");
+ ngx_conf_merge_str_value(conf->trusted_certificate,
+ prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");

ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
@@ -479,12 +489,20 @@
{
return NGX_CONF_ERROR;
}
+ }

- if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
+ if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
+ &conf->trusted_certificate,
+ conf->verify_depth)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
}

+ if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
if (conf->prefer_server_ciphers) {
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

Modified: trunk/src/http/modules/ngx_http_ssl_module.h
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.h 2012-09-28 18:28:38 UTC (rev 4872)
+++ trunk/src/http/modules/ngx_http_ssl_module.h 2012-10-01 12:39:36 UTC (rev 4873)
@@ -35,6 +35,7 @@
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
+ ngx_str_t trusted_certificate;
ngx_str_t crl;

ngx_str_t ciphers;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] svn commit: r4873 - in trunk/src: event http/modules

Anonymous User 946 October 01, 2012 08:40AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 191
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready