Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: support for per-certificate chains.

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 19, 2016 01:32PM
details: http://hg.nginx.org/nginx/rev/d3302eb87a0c
branches:
changeset: 6549:d3302eb87a0c
user: Maxim Dounin <mdounin@mdounin.ru>
date: Thu May 19 14:46:32 2016 +0300
description:
SSL: support for per-certificate chains.

The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().

SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate. There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.

Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.

diffstat:

src/event/ngx_event_openssl.c | 19 +++++++++++++++++++
src/event/ngx_event_openssl_stapling.c | 16 ++++++++++++++--
2 files changed, 33 insertions(+), 2 deletions(-)

diffs (69 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -408,6 +408,24 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
return NGX_ERROR;
}

+#ifdef SSL_CTRL_CHAIN_CERT
+
+ /*
+ * SSL_CTX_add0_chain_cert() is needed to add chain to
+ * a particular certificate when multiple certificates are used;
+ * only available in OpenSSL 1.0.2+
+ */
+
+ if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_add0_chain_cert(\"%s\") failed",
+ cert->data);
+ X509_free(x509);
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+
+#else
if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_add_extra_chain_cert(\"%s\") failed",
@@ -416,6 +434,7 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
BIO_free(bio);
return NGX_ERROR;
}
+#endif
}

BIO_free(bio);
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -287,7 +287,13 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,

cert = staple->cert;

-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+ /* OpenSSL 1.0.2+ */
+ SSL_CTX_select_current_cert(ssl->ctx, cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+ /* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
#else
chain = ssl->ctx->extra_certs;
@@ -621,7 +627,13 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
goto error;
}

-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+ /* OpenSSL 1.0.2+ */
+ SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+ /* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
#else
chain = staple->ssl_ctx->extra_certs;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] SSL: support for per-certificate chains.

Maxim Dounin 265 May 19, 2016 01:32PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 170
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready