[PATCH 4 of 6] SSL Stapling: ...
Filipe DA SILVA
fdasilva at ingima.com
Thu Apr 16 10:10:47 UTC 2015
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1429178261 -7200
# Thu Apr 16 11:57:41 2015 +0200
# Node ID 257767ac10541b1d94e6c93b19a1d5ebd3569abf
# Parent 4b0a7a9e22bd09044cdbc623da815bb14d0d7b4c
SSL Stapling: introduce Multiple Cert Management.
diff -r 4b0a7a9e22bd -r 257767ac1054 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Thu Apr 16 11:57:41 2015 +0200
@@ -93,9 +93,13 @@ struct ngx_ssl_ocsp_ctx_s {
static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *file, ngx_ssl_staple_t *conf);
-static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl);
+
+static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ X509 *cert);
static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *responder);
+ ngx_str_t *responder, X509 *cert);
+static ngx_int_t ngx_ssl_stapling_issuer_responder(ngx_conf_t *cf,
+ ngx_ssl_t *ssl, ngx_str_t *responder);
static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
void *data);
@@ -157,17 +161,7 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
goto done;
}
- rc = ngx_ssl_stapling_issuer(cf, ssl);
-
- if (rc == NGX_DECLINED) {
- return NGX_OK;
- }
-
- if (rc != NGX_OK) {
- return NGX_ERROR;
- }
-
- rc = ngx_ssl_stapling_responder(cf, ssl, responder);
+ rc = ngx_ssl_stapling_issuer_responder(cf, ssl, responder);
if (rc == NGX_DECLINED) {
return NGX_OK;
@@ -254,18 +248,55 @@ failed:
static ngx_int_t
-ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
+ngx_ssl_stapling_issuer_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_str_t *responder)
+{
+ ngx_int_t rc, ret;
+ X509 *cert;
+
+ ret = NGX_DECLINED;
+ cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
+
+ while (cert) {
+
+ rc = ngx_ssl_stapling_issuer(cf, ssl, cert);
+
+ if (rc == NGX_OK) {
+
+ rc = ngx_ssl_stapling_responder(cf, ssl, responder, cert);
+
+ /* return OK, when one cert at least is OK */
+ if (rc == NGX_OK) {
+ ret = NGX_OK;
+ }
+ }
+
+ if (rc == NGX_DECLINED) {
+ rc = NGX_OK;
+ }
+ if (rc != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ /* Get next certificate */
+ cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_NEXT_CERT);
+ }
+
+ return ret;
+}
+
+
+static ngx_int_t
+ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert)
{
int i, n, rc;
- X509 *cert, *issuer;
+ X509 *issuer;
X509_STORE *store;
X509_STORE_CTX *store_ctx;
STACK_OF(X509) *chain;
ngx_ssl_stapling_t *staple;
ngx_pool_cleanup_t *cln;
- cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
-
staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
if (staple == NULL) {
return NGX_ERROR;
@@ -370,15 +401,14 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
static ngx_int_t
-ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder)
+ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder,
+ X509 *cert)
{
ngx_url_t u;
char *s;
ngx_ssl_stapling_t *staple;
- X509 *cert;
STACK_OF(OPENSSL_STRING) *aia;
- cert = ngx_ssl_get_server_certificate(ssl, NGX_SSL_FIRST_CERT);
staple = X509_get_ex_data(cert, ngx_ssl_cert_stapling_index);
if (responder->len == 0) {
More information about the nginx-devel
mailing list