[PATCH 3 of 5] OCSP Stapling: introduce multiple cert support.
Filipe DA SILVA
fdasilva at ingima.com
Mon Apr 27 15:39:48 UTC 2015
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1430147821 -7200
# Mon Apr 27 17:17:01 2015 +0200
# Node ID 1b79826c93a4822fa3c11bc4139ca76e5189b14c
# Parent caabe5c77b51274237d7c49fffb864a27ca0a25f
OCSP Stapling: introduce multiple cert support.
Loop on each certificate to init his respective stapling context.
Compatible with 'stable-1.8'
diff -r caabe5c77b51 -r 1b79826c93a4 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Mon Apr 27 17:17:01 2015 +0200
@@ -93,9 +93,10 @@ struct ngx_ssl_ocsp_ctx_s {
static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *file, ngx_ssl_staple_conf_t *conf);
-static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl);
+static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ X509 *cert);
static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *responder);
+ ngx_str_t *responder, X509 *cert);
static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
void *data);
@@ -128,8 +129,9 @@ ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
ngx_str_t *responder, ngx_uint_t verify)
{
- ngx_int_t rc;
+ ngx_int_t rc, res;
ngx_ssl_staple_conf_t *conf;
+ X509 *cert;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_staple_conf_t));
if (conf == NULL) {
@@ -157,26 +159,32 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
goto done;
}
- rc = ngx_ssl_stapling_issuer(cf, ssl);
+ res = NGX_DECLINED;
+ cert = ngx_ssl_get_server_certificate(ssl);
- if (rc == NGX_DECLINED) {
- return NGX_OK;
+ while (cert) {
+ rc = ngx_ssl_stapling_issuer(cf, ssl, cert);
+
+ if (rc == NGX_OK) {
+ rc = ngx_ssl_stapling_responder(cf, ssl, responder, cert);
+ }
+
+ if (rc == NGX_OK) {
+ /* result becomes OK when at least one cert is OK */
+ res = NGX_OK;
+ } else if (rc == NGX_DECLINED) {
+ rc = NGX_OK;
+ } else {
+ return NGX_ERROR;
+ }
+
+ cert = ngx_ssl_get_next_server_certificate(ssl);
}
- if (rc != NGX_OK) {
- return NGX_ERROR;
- }
-
- rc = ngx_ssl_stapling_responder(cf, ssl, responder);
-
- if (rc == NGX_DECLINED) {
+ if (res == NGX_DECLINED) {
return NGX_OK;
}
- if (rc != NGX_OK) {
- return NGX_ERROR;
- }
-
done:
SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
@@ -254,18 +262,16 @@ failed:
static ngx_int_t
-ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
+ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert)
{
int i, n, rc;
- X509 *cert, *issuer;
+ X509 *issuer;
X509_STORE *store;
X509_STORE_CTX *store_ctx;
STACK_OF(X509) *chain;
ngx_ssl_stapling_t *staple;
ngx_pool_cleanup_t *cln;
- cert = ngx_ssl_get_server_certificate(ssl->ctx);
-
staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
if (staple == NULL) {
return NGX_ERROR;
@@ -367,22 +373,21 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
static ngx_int_t
-ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder)
+ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
+ X509 *cert)
{
ngx_url_t u;
char *s;
ngx_ssl_stapling_t *staple;
- X509 *cert;
STACK_OF(OPENSSL_STRING) *aia;
- cert = ngx_ssl_get_server_certificate(ssl);
staple = X509_get_ex_data(cert, ngx_ssl_cert_stapling_index);
if (responder->len == 0) {
/* extract OCSP responder URL from certificate */
- aia = X509_get1_ocsp(staple->cert);
+ aia = X509_get1_ocsp(cert);
if (aia == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
More information about the nginx-devel
mailing list