[PATCH] SSL: Added crl_check_mode
Jürno Ader
jyrno42 at gmail.com
Wed Mar 8 16:12:32 UTC 2017
# HG changeset patch
# User Jürno Ader <jyrno42 at gmail.com>
# Date 1488987398 -7200
# Wed Mar 08 17:36:38 2017 +0200
# Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0
# Parent d450723755728f9d0cc291247b9601e2f3340f19
SSL: Added crl_check_mode
Added crl_check_mode flag which can be used to modify flags used for
the X509_STORE created in ngx_ssl_crl.
This makes it possible to use Estonian Identity card revocation lists with
nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed
since the root certificate for ESTEID does not have a proper CRL available.
This patch implements the flag for the following modules:
- http_proxy
- http_ssl
- http_uwsgi
- mail_ssl
- stream_proxy
- stream_ssl
diff -r d45072375572 -r 9c13ae0d54a7 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/event/ngx_event_openssl.c Wed Mar 08 17:36:38 2017 +0200
@@ -737,7 +737,8 @@
ngx_int_t
-ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
+ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl,
+ ngx_uint_t crl_check_mode)
{
X509_STORE *store;
X509_LOOKUP *lookup;
@@ -774,8 +775,23 @@
return NGX_ERROR;
}
- X509_STORE_set_flags(store,
- X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ unsigned long crl_flags;
+
+ switch (crl_check_mode) {
+
+ case NGX_SSL_CRL_CHECK_LEAF:
+ crl_flags = X509_V_FLAG_CRL_CHECK;
+ break;
+
+ case NGX_SSL_CRL_CHECK_CHAIN:
+ crl_flags = X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+ break;
+
+ default:
+ crl_flags = 0;
+ }
+
+ X509_STORE_set_flags(store, crl_flags);
return NGX_OK;
}
diff -r d45072375572 -r 9c13ae0d54a7 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue Mar 07 18:51:17 2017 +0300
+++ b/src/event/ngx_event_openssl.h Wed Mar 08 17:36:38 2017 +0200
@@ -138,6 +138,9 @@
#define NGX_SSL_BUFSIZE 16384
+#define NGX_SSL_CRL_CHECK_NONE 0
+#define NGX_SSL_CRL_CHECK_LEAF 1
+#define NGX_SSL_CRL_CHECK_CHAIN 2
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
@@ -151,7 +154,8 @@
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
-ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
+ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl,
+ ngx_uint_t crl_check_mode);
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -97,6 +97,7 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_uint_t ssl_crl_check_mode;
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
@@ -237,6 +238,14 @@
{ ngx_null_string, 0 }
};
+
+static ngx_conf_enum_t ngx_http_proxy_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
#endif
@@ -692,6 +701,13 @@
offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
NULL },
+ { ngx_string("proxy_ssl_crl_check_mode"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_crl_check_mode),
+ &ngx_http_proxy_ssl_crl_check_mode },
+
{ ngx_string("proxy_ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -2884,6 +2900,7 @@
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT;
#endif
/* "proxy_cyclic_temp_file" is disabled */
@@ -3218,6 +3235,9 @@
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_uint_value(conf->ssl_crl_check_mode,
+ prev->ssl_crl_check_mode,
+ NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ssl_certificate,
prev->ssl_certificate, "");
@@ -4378,7 +4398,10 @@
return NGX_ERROR;
}
- if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl,
+ plcf->ssl_crl_check_mode)
+ != NGX_OK)
+ {
return NGX_ERROR;
}
}
diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -70,6 +70,14 @@
};
+static ngx_conf_enum_t ngx_http_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_command_t ngx_http_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -205,6 +213,13 @@
offsetof(ngx_http_ssl_srv_conf_t, crl),
NULL },
+ { ngx_string("ssl_crl_check_mode"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, crl_check_mode),
+ &ngx_http_ssl_crl_check_mode },
+
{ ngx_string("ssl_stapling"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -554,6 +569,7 @@
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->crl_check_mode = NGX_CONF_UNSET_UINT;
return sscf;
}
@@ -607,6 +623,8 @@
ngx_conf_merge_str_value(conf->trusted_certificate,
prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
+ ngx_conf_merge_uint_value(conf->crl_check_mode, prev->crl_check_mode,
+ NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
NGX_DEFAULT_ECDH_CURVE);
@@ -744,7 +762,10 @@
return NGX_CONF_ERROR;
}
- if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl,
+ conf->crl_check_mode)
+ != NGX_OK)
+ {
return NGX_CONF_ERROR;
}
diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Tue Mar 07 18:51:17 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h Wed Mar 08 17:36:38 2017 +0200
@@ -40,6 +40,7 @@
ngx_str_t client_certificate;
ngx_str_t trusted_certificate;
ngx_str_t crl;
+ ngx_uint_t crl_check_mode;
ngx_str_t ciphers;
diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -54,6 +54,7 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_uint_t ssl_crl_check_mode;
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
@@ -131,6 +132,14 @@
{ ngx_null_string, 0 }
};
+
+static ngx_conf_enum_t ngx_http_uwsgi_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
#endif
@@ -530,6 +539,13 @@
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl),
NULL },
+ { ngx_string("uwsgi_ssl_crl_check_mode"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl_check_mode),
+ &ngx_http_uwsgi_ssl_crl_check_mode },
+
{ ngx_string("uwsgi_ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -1446,6 +1462,7 @@
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT;
#endif
/* "uwsgi_cyclic_temp_file" is disabled */
@@ -1766,6 +1783,9 @@
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_uint_value(conf->ssl_crl_check_mode,
+ prev->ssl_crl_check_mode,
+ NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ssl_certificate,
prev->ssl_certificate, "");
@@ -2381,7 +2401,10 @@
return NGX_ERROR;
}
- if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl,
+ uwcf->ssl_crl_check_mode)
+ != NGX_OK)
+ {
return NGX_ERROR;
}
}
diff -r d45072375572 -r 9c13ae0d54a7 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -55,6 +55,14 @@
};
+static ngx_conf_enum_t ngx_mail_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_command_t ngx_mail_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -190,6 +198,13 @@
offsetof(ngx_mail_ssl_conf_t, crl),
NULL },
+ { ngx_string("ssl_crl_check_mode"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, crl_check_mode),
+ &ngx_mail_ssl_crl_check_mode },
+
ngx_null_command
};
@@ -259,6 +274,7 @@
scf->session_timeout = NGX_CONF_UNSET;
scf->session_tickets = NGX_CONF_UNSET;
scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ scf->crl_check_mode = NGX_CONF_UNSET_UINT;
return scf;
}
@@ -306,6 +322,8 @@
ngx_conf_merge_str_value(conf->trusted_certificate,
prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
+ ngx_conf_merge_uint_value(conf->crl_check_mode,
+ prev->crl_check_mode, NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
@@ -417,7 +435,9 @@
return NGX_CONF_ERROR;
}
- if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_mode)
+ != NGX_OK)
+ {
return NGX_CONF_ERROR;
}
}
diff -r d45072375572 -r 9c13ae0d54a7 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Tue Mar 07 18:51:17 2017 +0300
+++ b/src/mail/ngx_mail_ssl_module.h Wed Mar 08 17:36:38 2017 +0200
@@ -43,6 +43,7 @@
ngx_str_t client_certificate;
ngx_str_t trusted_certificate;
ngx_str_t crl;
+ ngx_uint_t crl_check_mode;
ngx_str_t ciphers;
diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -44,6 +44,7 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_uint_t ssl_crl_check_mode;
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
@@ -106,6 +107,14 @@
{ ngx_null_string, 0 }
};
+
+static ngx_conf_enum_t ngx_stream_proxy_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
#endif
@@ -290,6 +299,13 @@
offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl),
NULL },
+ { ngx_string("proxy_ssl_crl_check_mode"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl_check_mode),
+ &ngx_stream_proxy_ssl_crl_check_mode },
+
{ ngx_string("proxy_ssl_certificate"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -1858,6 +1874,7 @@
conf->ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT;
#endif
return conf;
@@ -1928,6 +1945,9 @@
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_uint_value(conf->ssl_crl_check_mode,
+ prev->ssl_crl_check_mode,
+ NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ssl_certificate,
prev->ssl_certificate, "");
@@ -2009,7 +2029,10 @@
return NGX_ERROR;
}
- if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl,
+ pscf->ssl_crl_check_mode)
+ != NGX_OK)
+ {
return NGX_ERROR;
}
}
diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Tue Mar 07 18:51:17 2017 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Wed Mar 08 17:36:38 2017 +0200
@@ -58,6 +58,14 @@
};
+static ngx_conf_enum_t ngx_stream_ssl_crl_check_mode[] = {
+ { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE },
+ { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN },
+ { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_command_t ngx_stream_ssl_commands[] = {
{ ngx_string("ssl_handshake_timeout"),
@@ -186,6 +194,13 @@
offsetof(ngx_stream_ssl_conf_t, crl),
NULL },
+ { ngx_string("ssl_crl_check_mode"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_conf_t, crl_check_mode),
+ &ngx_stream_ssl_crl_check_mode },
+
ngx_null_command
};
@@ -519,6 +534,7 @@
scf->session_timeout = NGX_CONF_UNSET;
scf->session_tickets = NGX_CONF_UNSET;
scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ scf->crl_check_mode = NGX_CONF_UNSET_UINT;
return scf;
}
@@ -561,6 +577,8 @@
ngx_conf_merge_str_value(conf->trusted_certificate,
prev->trusted_certificate, "");
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
+ ngx_conf_merge_uint_value(conf->crl_check_mode, prev->crl_check_mode,
+ NGX_SSL_CRL_CHECK_CHAIN);
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
NGX_DEFAULT_ECDH_CURVE);
@@ -635,7 +653,9 @@
return NGX_CONF_ERROR;
}
- if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
+ if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_mode)
+ != NGX_OK)
+ {
return NGX_CONF_ERROR;
}
}
diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_ssl_module.h
--- a/src/stream/ngx_stream_ssl_module.h Tue Mar 07 18:51:17 2017 +0300
+++ b/src/stream/ngx_stream_ssl_module.h Wed Mar 08 17:36:38 2017 +0200
@@ -38,6 +38,7 @@
ngx_str_t client_certificate;
ngx_str_t trusted_certificate;
ngx_str_t crl;
+ ngx_uint_t crl_check_mode;
ngx_str_t ciphers;
More information about the nginx-devel
mailing list