[nginx] svn commit: r4880 - in trunk/src: event http/modules
mdounin at mdounin.ru
mdounin at mdounin.ru
Mon Oct 1 12:53:12 UTC 2012
Author: mdounin
Date: 2012-10-01 12:53:11 +0000 (Mon, 01 Oct 2012)
New Revision: 4880
URL: http://trac.nginx.org/nginx/changeset/4880/nginx
Log:
OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.
Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway. But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
Modified:
trunk/src/event/ngx_event_openssl.h
trunk/src/event/ngx_event_openssl_stapling.c
trunk/src/http/modules/ngx_http_ssl_module.c
trunk/src/http/modules/ngx_http_ssl_module.h
Modified: trunk/src/event/ngx_event_openssl.h
===================================================================
--- trunk/src/event/ngx_event_openssl.h 2012-10-01 12:51:27 UTC (rev 4879)
+++ trunk/src/event/ngx_event_openssl.h 2012-10-01 12:53:11 UTC (rev 4880)
@@ -106,7 +106,7 @@
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *responder, ngx_str_t *file);
+ ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
Modified: trunk/src/event/ngx_event_openssl_stapling.c
===================================================================
--- trunk/src/event/ngx_event_openssl_stapling.c 2012-10-01 12:51:27 UTC (rev 4879)
+++ trunk/src/event/ngx_event_openssl_stapling.c 2012-10-01 12:53:11 UTC (rev 4880)
@@ -33,7 +33,8 @@
time_t valid;
- ngx_uint_t loading; /* unsigned:1 */
+ unsigned verify:1;
+ unsigned loading:1;
} ngx_ssl_stapling_t;
@@ -114,8 +115,8 @@
ngx_int_t
-ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
- ngx_str_t *file)
+ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+ ngx_str_t *responder, ngx_uint_t verify)
{
ngx_int_t rc;
ngx_pool_cleanup_t *cln;
@@ -144,6 +145,7 @@
staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000;
+ staple->verify = verify;
if (file->len) {
/* use OCSP response from the file */
@@ -588,7 +590,10 @@
chain = staple->ssl_ctx->extra_certs;
#endif
- if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) {
+ if (OCSP_basic_verify(basic, chain, store,
+ staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
+ != 1)
+ {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed");
goto error;
Modified: trunk/src/http/modules/ngx_http_ssl_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.c 2012-10-01 12:51:27 UTC (rev 4879)
+++ trunk/src/http/modules/ngx_http_ssl_module.c 2012-10-01 12:53:11 UTC (rev 4880)
@@ -182,6 +182,13 @@
offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
NULL },
+ { ngx_string("ssl_stapling_verify"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
+ NULL },
+
ngx_null_command
};
@@ -370,6 +377,7 @@
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
sscf->stapling = NGX_CONF_UNSET;
+ sscf->stapling_verify = NGX_CONF_UNSET;
return sscf;
}
@@ -424,6 +432,7 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+ ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
@@ -565,8 +574,8 @@
if (conf->stapling) {
- if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_responder,
- &conf->stapling_file)
+ if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+ &conf->stapling_responder, conf->stapling_verify)
!= NGX_OK)
{
return NGX_CONF_ERROR;
Modified: trunk/src/http/modules/ngx_http_ssl_module.h
===================================================================
--- trunk/src/http/modules/ngx_http_ssl_module.h 2012-10-01 12:51:27 UTC (rev 4879)
+++ trunk/src/http/modules/ngx_http_ssl_module.h 2012-10-01 12:53:11 UTC (rev 4880)
@@ -43,6 +43,7 @@
ngx_shm_zone_t *shm_zone;
ngx_flag_t stapling;
+ ngx_flag_t stapling_verify;
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
More information about the nginx-devel
mailing list