[nginx] OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan
arut at nginx.com
Sat May 23 10:35:45 UTC 2020
details: https://hg.nginx.org/nginx/rev/6ca8e15caf1f
branches:
changeset: 7651:6ca8e15caf1f
user: Roman Arutyunyan <arut at nginx.com>
date: Sun May 17 14:24:35 2020 +0300
description:
OCSP stapling: keep extra chain in the staple object.
diffstat:
src/event/ngx_event_openssl_stapling.c | 47 +++++++++++++--------------------
1 files changed, 18 insertions(+), 29 deletions(-)
diffs (107 lines):
diff -r abb6cc8f1dd8 -r 6ca8e15caf1f src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Wed May 06 21:44:14 2020 +0300
+++ b/src/event/ngx_event_openssl_stapling.c Sun May 17 14:24:35 2020 +0300
@@ -30,6 +30,7 @@ typedef struct {
X509 *cert;
X509 *issuer;
+ STACK_OF(X509) *chain;
u_char *name;
@@ -48,6 +49,7 @@ struct ngx_ssl_ocsp_ctx_s {
X509 *cert;
X509 *issuer;
+ STACK_OF(X509) *chain;
int status;
time_t valid;
@@ -179,6 +181,18 @@ ngx_ssl_stapling_certificate(ngx_conf_t
return NGX_ERROR;
}
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+ /* OpenSSL 1.0.2+ */
+ SSL_CTX_select_current_cert(ssl->ctx, cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+ /* OpenSSL 1.0.1+ */
+ SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
+#else
+ staple->chain = ssl->ctx->extra_certs;
+#endif
+
staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000;
staple->verify = verify;
@@ -295,29 +309,16 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
X509 *cert, *issuer;
X509_STORE *store;
X509_STORE_CTX *store_ctx;
- STACK_OF(X509) *chain;
cert = staple->cert;
-#ifdef SSL_CTRL_SELECT_CURRENT_CERT
- /* OpenSSL 1.0.2+ */
- SSL_CTX_select_current_cert(ssl->ctx, cert);
-#endif
-
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
- /* OpenSSL 1.0.1+ */
- SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
-#else
- chain = ssl->ctx->extra_certs;
-#endif
-
- n = sk_X509_num(chain);
+ n = sk_X509_num(staple->chain);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: %d extra certs", n);
for (i = 0; i < n; i++) {
- issuer = sk_X509_value(chain, i);
+ issuer = sk_X509_value(staple->chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
#if OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
@@ -573,6 +574,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling
ctx->ssl_ctx = staple->ssl_ctx;
ctx->cert = staple->cert;
ctx->issuer = staple->issuer;
+ ctx->chain = staple->chain;
ctx->name = staple->name;
ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
@@ -1720,7 +1722,6 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *
size_t len;
X509_STORE *store;
const u_char *p;
- STACK_OF(X509) *chain;
OCSP_CERTID *id;
OCSP_RESPONSE *ocsp;
OCSP_BASICRESP *basic;
@@ -1769,19 +1770,7 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *
goto error;
}
-#ifdef SSL_CTRL_SELECT_CURRENT_CERT
- /* OpenSSL 1.0.2+ */
- SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert);
-#endif
-
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
- /* OpenSSL 1.0.1+ */
- SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain);
-#else
- chain = ctx->ssl_ctx->extra_certs;
-#endif
-
- if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) {
+ if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed");
goto error;
More information about the nginx-devel
mailing list