details: http://hg.nginx.org/nginx/rev/a2d5d45f1525
branches:
changeset: 6546:a2d5d45f1525
user: Maxim Dounin <mdounin@mdounin.ru>
date: Thu May 19 14:46:32 2016 +0300
description:
OCSP stapling: staple now extracted via SSL_get_certificate().

This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.

diffstat:

src/event/ngx_event_openssl_stapling.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)

diffs (36 lines):

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -185,7 +185,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
done:

SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
- SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);

return NGX_OK;
}
@@ -455,6 +454,7 @@ static int
ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
{
int rc;
+ X509 *cert;
u_char *p;
ngx_connection_t *c;
ngx_ssl_stapling_t *staple;
@@ -464,9 +464,15 @@ ngx_ssl_certificate_status_callback(ngx_
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL certificate status callback");

- staple = data;
rc = SSL_TLSEXT_ERR_NOACK;

+ cert = SSL_get_certificate(ssl_conn);
+ staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
+
+ if (staple == NULL) {
+ return rc;
+ }
+
if (staple->staple.len
&& staple->valid >= ngx_time())
{

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel