Sergey Kandaurov
August 22, 2024 08:48AM
details: https://hg.nginx.org/nginx/rev/8444d2a1d57b
branches:
changeset: 9290:8444d2a1d57b
user: Sergey Kandaurov <pluknet@nginx.com>
date: Thu Aug 22 14:57:46 2024 +0400
description:
Stream: OCSP stapling.

diffstat:

src/stream/ngx_stream_ssl_module.c | 78 +++++++++++++++++++++++++++++++++----
src/stream/ngx_stream_ssl_module.h | 5 ++
2 files changed, 73 insertions(+), 10 deletions(-)

diffs (147 lines):

diff -r eb53c24b158b -r 8444d2a1d57b src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Thu Aug 22 14:57:45 2024 +0400
+++ b/src/stream/ngx_stream_ssl_module.c Thu Aug 22 14:57:46 2024 +0400
@@ -243,6 +243,34 @@ static ngx_command_t ngx_stream_ssl_com
0,
NULL },

+ { ngx_string("ssl_stapling"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_srv_conf_t, stapling),
+ NULL },
+
+ { ngx_string("ssl_stapling_file"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_srv_conf_t, stapling_file),
+ NULL },
+
+ { ngx_string("ssl_stapling_responder"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_srv_conf_t, stapling_responder),
+ NULL },
+
+ { ngx_string("ssl_stapling_verify"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_srv_conf_t, stapling_verify),
+ NULL },
+
{ ngx_string("ssl_conf_command"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
@@ -809,6 +837,8 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_
* sscf->ciphers = { 0, NULL };
* sscf->shm_zone = NULL;
* sscf->ocsp_responder = { 0, NULL };
+ * sscf->stapling_file = { 0, NULL };
+ * sscf->stapling_responder = { 0, NULL };
*/

sscf->handshake_timeout = NGX_CONF_UNSET_MSEC;
@@ -826,6 +856,8 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->ocsp = NGX_CONF_UNSET_UINT;
sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
+ sscf->stapling = NGX_CONF_UNSET;
+ sscf->stapling_verify = NGX_CONF_UNSET;

return sscf;
}
@@ -885,6 +917,12 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
prev->ocsp_cache_zone, NULL);

+ ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+ ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
+ ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
conf->ssl.log = cf->log;

if (conf->certificates) {
@@ -983,18 +1021,18 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t
{
return NGX_CONF_ERROR;
}
+ }

- if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
- &conf->trusted_certificate,
- conf->verify_depth)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
- }
+ if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
+ &conf->trusted_certificate,
+ conf->verify_depth)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }

- if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
+ if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+ return NGX_CONF_ERROR;
}

if (conf->ocsp) {
@@ -1055,6 +1093,17 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t
return NGX_CONF_ERROR;
}

+ if (conf->stapling) {
+
+ if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+ &conf->stapling_responder, conf->stapling_verify)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
+ }
+
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -1454,6 +1503,15 @@ ngx_stream_ssl_init(ngx_conf_t *cf)

cscf = cscfp[s]->ctx->srv_conf[ngx_stream_core_module.ctx_index];

+ if (sscf->stapling) {
+ if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, cscf->resolver,
+ cscf->resolver_timeout)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
if (sscf->ocsp) {
if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, cscf->resolver,
cscf->resolver_timeout)
diff -r eb53c24b158b -r 8444d2a1d57b src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h Thu Aug 22 14:57:45 2024 +0400
+++ b/src/stream/ngx_stream_ssl_module.h Thu Aug 22 14:57:46 2024 +0400
@@ -57,6 +57,11 @@ typedef struct {
ngx_uint_t ocsp;
ngx_str_t ocsp_responder;
ngx_shm_zone_t *ocsp_cache_zone;
+
+ ngx_flag_t stapling;
+ ngx_flag_t stapling_verify;
+ ngx_str_t stapling_file;
+ ngx_str_t stapling_responder;
} ngx_stream_ssl_srv_conf_t;


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Stream: OCSP stapling.

Sergey Kandaurov 173 August 22, 2024 08:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 218
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready