# HG changeset patch # User Elliot Thomas # Date 1491387954 -3600 # Wed Apr 05 11:25:54 2017 +0100 # Node ID 00b5a781cee0ab9fc407b699fae594797db96ace # Parent 29ba1d6a2da9320e68ef2b7a2516c4c424672ea8 SSL: add crl_check_all directive for controlling CRL verification. This allows the X509_V_FLAG_CRL_CHECK_ALL to be controlled, supporting 'leaf only' CRL verification in addition to full chain verification (default). This change adds *ssl_crl_check_all directives to the following modules: - ngx_http_proxy_module - ngx_http_ssl_module - ngx_http_uwsgi_module - ngx_mail_ssl_module - ngx_stream_proxy_module - ngx_stream_ssl_module diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/event/ngx_event_openssl.c Wed Apr 05 11:25:54 2017 +0100 @@ -737,7 +737,7 @@ ngx_int_t -ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) +ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl, ngx_uint_t check_all) { X509_STORE *store; X509_LOOKUP *lookup; @@ -775,7 +775,8 @@ } X509_STORE_set_flags(store, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + X509_V_FLAG_CRL_CHECK | + (check_all ? X509_V_FLAG_CRL_CHECK_ALL : 0)); return NGX_OK; } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Tue Apr 04 18:01:57 2017 +0300 +++ b/src/event/ngx_event_openssl.h Wed Apr 05 11:25:54 2017 +0100 @@ -151,7 +151,8 @@ ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); -ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); +ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl, + ngx_uint_t check_all); ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/http/modules/ngx_http_proxy_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -97,6 +97,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_flag_t ssl_crl_check_all; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -693,6 +694,13 @@ offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), NULL }, + { ngx_string("proxy_ssl_crl_check_all"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_crl_check_all), + NULL }, + { ngx_string("proxy_ssl_certificate"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -2884,6 +2892,7 @@ conf->upstream.ssl_server_name = NGX_CONF_UNSET; conf->upstream.ssl_verify = NGX_CONF_UNSET; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; + conf->ssl_crl_check_all = NGX_CONF_UNSET; conf->ssl_passwords = NGX_CONF_UNSET_PTR; #endif @@ -3219,6 +3228,7 @@ ngx_conf_merge_str_value(conf->ssl_trusted_certificate, prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_value(conf->ssl_crl_check_all, prev->ssl_crl_check_all, 1); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -4379,7 +4389,7 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl, plcf->ssl_crl_check_all) != NGX_OK) { return NGX_ERROR; } } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -205,6 +205,13 @@ offsetof(ngx_http_ssl_srv_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_all"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, crl_check_all), + NULL}, + { ngx_string("ssl_stapling"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, @@ -547,6 +554,7 @@ sscf->verify_depth = NGX_CONF_UNSET_UINT; sscf->certificates = NGX_CONF_UNSET_PTR; sscf->certificate_keys = NGX_CONF_UNSET_PTR; + sscf->crl_check_all = NGX_CONF_UNSET; sscf->passwords = NGX_CONF_UNSET_PTR; sscf->builtin_session_cache = NGX_CONF_UNSET; sscf->session_timeout = NGX_CONF_UNSET; @@ -607,6 +615,7 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_value(conf->crl_check_all, prev->crl_check_all, 1); ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -744,7 +753,7 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_all) != NGX_OK) { return NGX_CONF_ERROR; } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Tue Apr 04 18:01:57 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Wed Apr 05 11:25:54 2017 +0100 @@ -40,6 +40,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_flag_t crl_check_all; ngx_str_t ciphers; diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -54,6 +54,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_flag_t ssl_crl_check_all; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -531,6 +532,13 @@ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl), NULL }, + { ngx_string("uwsgi_ssl_crl_check_all"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl_check_all), + NULL }, + { ngx_string("uwsgi_ssl_certificate"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -1767,6 +1775,7 @@ ngx_conf_merge_str_value(conf->ssl_trusted_certificate, prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_value(conf->ssl_crl_check_all, prev->ssl_crl_check_all, 1); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -2382,7 +2391,7 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl, uwcf->ssl_crl_check_all) != NGX_OK) { return NGX_ERROR; } } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/mail/ngx_mail_ssl_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -190,6 +190,13 @@ offsetof(ngx_mail_ssl_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_all"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, crl_check_all), + NULL }, + ngx_null_command }; @@ -255,6 +262,7 @@ scf->prefer_server_ciphers = NGX_CONF_UNSET; scf->verify = NGX_CONF_UNSET_UINT; scf->verify_depth = NGX_CONF_UNSET_UINT; + scf->crl_check_all = NGX_CONF_UNSET; scf->builtin_session_cache = NGX_CONF_UNSET; scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; @@ -306,6 +314,7 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_value(conf->crl_check_all, prev->crl_check_all, 1); ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); @@ -417,7 +426,7 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_all) != NGX_OK) { return NGX_CONF_ERROR; } } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/mail/ngx_mail_ssl_module.h --- a/src/mail/ngx_mail_ssl_module.h Tue Apr 04 18:01:57 2017 +0300 +++ b/src/mail/ngx_mail_ssl_module.h Wed Apr 05 11:25:54 2017 +0100 @@ -43,6 +43,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_flag_t crl_check_all; ngx_str_t ciphers; diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -44,6 +44,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_flag_t ssl_crl_check_all; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -290,6 +291,13 @@ offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl), NULL }, + { ngx_string("proxy_ssl_crl_check_all"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl_check_all), + NULL }, + { ngx_string("proxy_ssl_certificate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -1928,6 +1936,7 @@ prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_value(conf->ssl_crl_check_all, prev->ssl_crl_check_all, 1); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -2009,7 +2018,7 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl, pscf->ssl_crl_check_all) != NGX_OK) { return NGX_ERROR; } } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c Tue Apr 04 18:01:57 2017 +0300 +++ b/src/stream/ngx_stream_ssl_module.c Wed Apr 05 11:25:54 2017 +0100 @@ -186,6 +186,13 @@ offsetof(ngx_stream_ssl_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_all"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_ssl_conf_t, crl_check_all), + NULL }, + ngx_null_command }; @@ -515,6 +522,7 @@ scf->prefer_server_ciphers = NGX_CONF_UNSET; scf->verify = NGX_CONF_UNSET_UINT; scf->verify_depth = NGX_CONF_UNSET_UINT; + scf->crl_check_all = NGX_CONF_UNSET; scf->builtin_session_cache = NGX_CONF_UNSET; scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; @@ -561,6 +569,7 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_value(conf->crl_check_all, prev->crl_check_all, 1); ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -635,7 +644,7 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_all) != NGX_OK) { return NGX_CONF_ERROR; } } diff -r 29ba1d6a2da9 -r 00b5a781cee0 src/stream/ngx_stream_ssl_module.h --- a/src/stream/ngx_stream_ssl_module.h Tue Apr 04 18:01:57 2017 +0300 +++ b/src/stream/ngx_stream_ssl_module.h Wed Apr 05 11:25:54 2017 +0100 @@ -38,6 +38,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_flag_t crl_check_all; ngx_str_t ciphers;