Welcome! Log In Create A New Profile

[nginx] svn commit: r4874 - in trunk: auto src/event src/http/modules

Forum List Message List New Topic Print View

Anonymous User

October 01, 2012 08:42AM

Author: mdounin
Date: 2012-10-01 12:41:08 +0000 (Mon, 01 Oct 2012)
New Revision: 4874
URL: http://trac.nginx.org/nginx/changeset/4874/nginx

Log:
OCSP stapling: ssl_stapling_file support.

Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
-url http://ocsp.example.com

Modified:
trunk/auto/sources
trunk/src/event/ngx_event_openssl.h
trunk/src/http/modules/ngx_http_ssl_module.c
trunk/src/http/modules/ngx_http_ssl_module.h

Modified: trunk/auto/sources
===================================================================
--- trunk/auto/sources 2012-10-01 12:39:36 UTC (rev 4873)
+++ trunk/auto/sources 2012-10-01 12:41:08 UTC (rev 4874)
@@ -77,7 +77,8 @@

OPENSSL_MODULE=ngx_openssl_module
OPENSSL_DEPS=src/event/ngx_event_openssl.h
-OPENSSL_SRCS=src/event/ngx_event_openssl.c
+OPENSSL_SRCS="src/event/ngx_event_openssl.c \
+ src/event/ngx_event_openssl_stapling.c"

EVENT_MODULES="ngx_events_module ngx_event_core_module"

Modified: trunk/src/event/ngx_event_openssl.h
===================================================================
--- trunk/src/event/ngx_event_openssl.h 2012-10-01 12:39:36 UTC (rev 4873)
+++ trunk/src/event/ngx_event_openssl.h 2012-10-01 12:41:08 UTC (rev 4874)
@@ -17,6 +17,7 @@
#include <openssl/conf.h>
#include <openssl/engine.h>
#include <openssl/evp.h>
+#include <openssl/ocsp.h>

#define NGX_SSL_NAME "OpenSSL"

@@ -104,6 +105,7 @@
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
+ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);

Modified: trunk/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.c 2012-10-01 12:39:36 UTC (rev 4873)
+++ trunk/src/http/modules/ngx_http_ssl_module.c 2012-10-01 12:41:08 UTC (rev 4874)
@@ -159,6 +159,20 @@
offsetof(ngx_http_ssl_srv_conf_t, crl),
NULL },

+ { ngx_string("ssl_stapling"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, stapling),
+ NULL },
+
+ { ngx_string("ssl_stapling_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
+ NULL },
+
ngx_null_command
};

@@ -336,6 +350,7 @@
* sscf->crl = { 0, NULL };
* sscf->ciphers = { 0, NULL };
* sscf->shm_zone = NULL;
+ * sscf->stapling_file = { 0, NULL };
*/

sscf->enable = NGX_CONF_UNSET;
@@ -344,6 +359,7 @@
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
+ sscf->stapling = NGX_CONF_UNSET;

return sscf;
}
@@ -397,6 +413,8 @@

ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);

+ ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+ ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");

conf->ssl.log = cf->log;

@@ -533,6 +551,12 @@
return NGX_CONF_ERROR;
}

+ if (conf->stapling
+ && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}

Modified: trunk/src/http/modules/ngx_http_ssl_module.h
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.h 2012-10-01 12:39:36 UTC (rev 4873)
+++ trunk/src/http/modules/ngx_http_ssl_module.h 2012-10-01 12:41:08 UTC (rev 4874)
@@ -42,6 +42,9 @@

ngx_shm_zone_t *shm_zone;

+ ngx_flag_t stapling;
+ ngx_str_t stapling_file;
+
u_char *file;
ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] svn commit: r4874 - in trunk: auto src/event src/http/modules	Anonymous User	937	October 01, 2012 08:42AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 212

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018