[nginx] OCSP stapling: added certificate name to warnings.
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 5 20:01:52 UTC 2016
details: http://hg.nginx.org/nginx/rev/a7ec59df0c4d
branches:
changeset: 6812:a7ec59df0c4d
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Dec 05 22:23:22 2016 +0300
description:
OCSP stapling: added certificate name to warnings.
diffstat:
src/event/ngx_event_openssl.c | 18 ++++++++++++++++++
src/event/ngx_event_openssl.h | 1 +
src/event/ngx_event_openssl_stapling.c | 22 +++++++++++++++++-----
3 files changed, 36 insertions(+), 5 deletions(-)
diffs (127 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -106,6 +106,7 @@ int ngx_ssl_session_cache_index;
int ngx_ssl_session_ticket_keys_index;
int ngx_ssl_certificate_index;
int ngx_ssl_next_certificate_index;
+int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
@@ -193,6 +194,14 @@ ngx_ssl_init(ngx_log_t *log)
return NGX_ERROR;
}
+ ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
+ NULL);
+
+ if (ngx_ssl_certificate_name_index == -1) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
+ return NGX_ERROR;
+ }
+
ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ngx_ssl_stapling_index == -1) {
@@ -385,6 +394,15 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
return NGX_ERROR;
}
+ if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data)
+ == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
+ X509_free(x509);
+ BIO_free(bio);
+ return NGX_ERROR;
+ }
+
if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
== 0)
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -236,6 +236,7 @@ extern int ngx_ssl_session_cache_index;
extern int ngx_ssl_session_ticket_keys_index;
extern int ngx_ssl_certificate_index;
extern int ngx_ssl_next_certificate_index;
+extern int ngx_ssl_certificate_name_index;
extern int ngx_ssl_stapling_index;
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -31,6 +31,8 @@ typedef struct {
X509 *cert;
X509 *issuer;
+ u_char *name;
+
time_t valid;
time_t refresh;
@@ -173,6 +175,8 @@ ngx_ssl_stapling_certificate(ngx_conf_t
staple->timeout = 60000;
staple->verify = verify;
staple->cert = cert;
+ staple->name = X509_get_ex_data(staple->cert,
+ ngx_ssl_certificate_name_index);
if (file->len) {
/* use OCSP response from the file */
@@ -354,7 +358,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
if (rc == 0) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
- "\"ssl_stapling\" ignored, issuer certificate not found");
+ "\"ssl_stapling\" ignored, "
+ "issuer certificate not found for certificate \"%s\"",
+ staple->name);
X509_STORE_CTX_free(store_ctx);
return NGX_DECLINED;
}
@@ -387,7 +393,8 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
if (aia == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
- "no OCSP responder URL in the certificate");
+ "no OCSP responder URL in the certificate \"%s\"",
+ staple->name);
return NGX_DECLINED;
}
@@ -399,7 +406,8 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
if (s == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
- "no OCSP responder URL in the certificate");
+ "no OCSP responder URL in the certificate \"%s\"",
+ staple->name);
X509_email_free(aia);
return NGX_DECLINED;
}
@@ -432,7 +440,9 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
} else {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
- "invalid URL prefix in OCSP responder \"%V\"", &u.url);
+ "invalid URL prefix in OCSP responder \"%V\" "
+ "in the certificate \"%s\"",
+ &u.url, staple->name);
return NGX_DECLINED;
}
@@ -440,7 +450,9 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
if (u.err) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
- "%s in OCSP responder \"%V\"", u.err, &u.url);
+ "%s in OCSP responder \"%V\" "
+ "in the certificate \"%s\"",
+ u.err, &u.url, staple->name);
return NGX_DECLINED;
}
More information about the nginx-devel
mailing list