Welcome! Log In Create A New Profile

[nginx] OCSP stapling: additional function to configure stapling on a cert.

Forum List Message List New Topic Print View

Maxim Dounin

May 19, 2016 01:32PM

details: http://hg.nginx.org/nginx/rev/e222a97d46c1
branches:
changeset: 6547:e222a97d46c1
user: Maxim Dounin <mdounin@mdounin.ru>
date: Thu May 19 14:46:32 2016 +0300
description:
OCSP stapling: additional function to configure stapling on a cert.

diffstat:

src/event/ngx_event_openssl_stapling.c | 37 +++++++++++++++++++++++----------
1 files changed, 26 insertions(+), 11 deletions(-)

diffs (75 lines):

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -83,6 +83,8 @@ struct ngx_ssl_ocsp_ctx_s {
};

+static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_ssl_stapling_t *staple, ngx_str_t *file);
static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
@@ -122,10 +124,29 @@ ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
ngx_str_t *responder, ngx_uint_t verify)
{
- X509 *cert;
- ngx_int_t rc;
- ngx_pool_cleanup_t *cln;
- ngx_ssl_stapling_t *staple;
+ X509 *cert;
+
+ cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+
+ if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
+ ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify)
+{
+ ngx_int_t rc;
+ ngx_pool_cleanup_t *cln;
+ ngx_ssl_stapling_t *staple;

staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
if (staple == NULL) {
@@ -140,8 +161,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
cln->handler = ngx_ssl_stapling_cleanup;
cln->data = staple;

- cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
-
if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
return NGX_ERROR;
@@ -159,7 +178,7 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
return NGX_ERROR;
}

- goto done;
+ return NGX_OK;
}

rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
@@ -182,10 +201,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
return NGX_ERROR;
}

-done:
-
- SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
-
return NGX_OK;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] OCSP stapling: additional function to configure stapling on a cert.	Maxim Dounin	191	May 19, 2016 01:32PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

cnbx

Guests: 146

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018