[PATCH 4 of 6] SSL Stapling: ...

Filipe DA SILVA fdasilva at ingima.com
Thu Apr 16 10:10:47 UTC 2015


# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1429178261 -7200
#      Thu Apr 16 11:57:41 2015 +0200
# Node ID 257767ac10541b1d94e6c93b19a1d5ebd3569abf
# Parent  4b0a7a9e22bd09044cdbc623da815bb14d0d7b4c
SSL Stapling: introduce Multiple Cert Management.

diff -r 4b0a7a9e22bd -r 257767ac1054 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c	Thu Apr 16 11:57:41 2015 +0200
@@ -93,9 +93,13 @@ struct ngx_ssl_ocsp_ctx_s {
 
 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *file, ngx_ssl_staple_t *conf);
-static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl);
+
+static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
+    X509 *cert);
 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_str_t *responder);
+    ngx_str_t *responder, X509 *cert);
+static ngx_int_t ngx_ssl_stapling_issuer_responder(ngx_conf_t *cf,
+    ngx_ssl_t *ssl, ngx_str_t *responder);
 
 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
     void *data);
@@ -157,17 +161,7 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
         goto done;
     }
 
-    rc = ngx_ssl_stapling_issuer(cf, ssl);
-
-    if (rc == NGX_DECLINED) {
-        return NGX_OK;
-    }
-
-    if (rc != NGX_OK) {
-        return NGX_ERROR;
-    }
-
-    rc = ngx_ssl_stapling_responder(cf, ssl, responder);
+    rc = ngx_ssl_stapling_issuer_responder(cf, ssl, responder);
 
     if (rc == NGX_DECLINED) {
         return NGX_OK;
@@ -254,18 +248,55 @@ failed:
 
 
 static ngx_int_t
-ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
+ngx_ssl_stapling_issuer_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
+    ngx_str_t *responder)
+{
+    ngx_int_t           rc, ret;
+    X509               *cert;
+
+    ret = NGX_DECLINED;
+    cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
+
+    while (cert) {
+
+        rc = ngx_ssl_stapling_issuer(cf, ssl, cert);
+
+        if (rc == NGX_OK) {
+
+            rc = ngx_ssl_stapling_responder(cf, ssl, responder, cert);
+
+            /* return OK, when one cert at least is OK */
+            if (rc == NGX_OK) {
+                ret = NGX_OK;
+            }
+        }
+
+        if (rc == NGX_DECLINED) {
+            rc = NGX_OK;
+        }
+        if (rc != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        /* Get next certificate */
+        cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_NEXT_CERT);
+    }
+
+    return ret;
+}
+
+
+static ngx_int_t
+ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert)
 {
     int                  i, n, rc;
-    X509                *cert, *issuer;
+    X509                *issuer;
     X509_STORE          *store;
     X509_STORE_CTX      *store_ctx;
     STACK_OF(X509)      *chain;
     ngx_ssl_stapling_t  *staple;
     ngx_pool_cleanup_t  *cln;
 
-    cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
-
     staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
     if (staple == NULL) {
         return NGX_ERROR;
@@ -370,15 +401,14 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
 
 
 static ngx_int_t
-ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder)
+ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
+    X509 *cert)
 {
     ngx_url_t                  u;
     char                      *s;
     ngx_ssl_stapling_t        *staple;
-    X509                      *cert;
     STACK_OF(OPENSSL_STRING)  *aia;
 
-    cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
     staple = X509_get_ex_data(cert, ngx_ssl_cert_stapling_index);
 
     if (responder->len == 0) {



More information about the nginx-devel mailing list