mirror of
https://github.com/nginx/nginx.git
synced 2024-11-21 16:28:40 +00:00
OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority certificates to be used during certificate verification. In contrast to ssl_client_certificate DNs of these cerificates aren't sent to a client during handshake. Trusted certificates are loaded regardless of the fact whether client certificates verification is enabled as the same certificates will be used for OCSP stapling, during construction of an OCSP request and for verification of an OCSP response. The same applies to a CRL (which is now always loaded).
This commit is contained in:
parent
6a0f47e079
commit
3648ba7db8
@ -296,6 +296,33 @@ ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
|
||||||
|
ngx_int_t depth)
|
||||||
|
{
|
||||||
|
SSL_CTX_set_verify_depth(ssl->ctx, depth);
|
||||||
|
|
||||||
|
if (cert->len == 0) {
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
|
||||||
|
== 0)
|
||||||
|
{
|
||||||
|
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
|
||||||
|
"SSL_CTX_load_verify_locations(\"%s\") failed",
|
||||||
|
cert->data);
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
|
ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
|
||||||
{
|
{
|
||||||
|
@ -101,6 +101,8 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
|||||||
ngx_str_t *cert, ngx_str_t *key);
|
ngx_str_t *cert, ngx_str_t *key);
|
||||||
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
ngx_str_t *cert, ngx_int_t depth);
|
ngx_str_t *cert, ngx_int_t depth);
|
||||||
|
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||||
|
ngx_str_t *cert, ngx_int_t depth);
|
||||||
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
|
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
|
||||||
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
|
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
|
||||||
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
||||||
|
@ -124,6 +124,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|||||||
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
|
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
|
||||||
NULL },
|
NULL },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_trusted_certificate"),
|
||||||
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
||||||
|
ngx_conf_set_str_slot,
|
||||||
|
NGX_HTTP_SRV_CONF_OFFSET,
|
||||||
|
offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
|
||||||
|
NULL },
|
||||||
|
|
||||||
{ ngx_string("ssl_prefer_server_ciphers"),
|
{ ngx_string("ssl_prefer_server_ciphers"),
|
||||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
||||||
ngx_conf_set_flag_slot,
|
ngx_conf_set_flag_slot,
|
||||||
@ -325,6 +332,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||||||
* sscf->dhparam = { 0, NULL };
|
* sscf->dhparam = { 0, NULL };
|
||||||
* sscf->ecdh_curve = { 0, NULL };
|
* sscf->ecdh_curve = { 0, NULL };
|
||||||
* sscf->client_certificate = { 0, NULL };
|
* sscf->client_certificate = { 0, NULL };
|
||||||
|
* sscf->trusted_certificate = { 0, NULL };
|
||||||
* sscf->crl = { 0, NULL };
|
* sscf->crl = { 0, NULL };
|
||||||
* sscf->ciphers = { 0, NULL };
|
* sscf->ciphers = { 0, NULL };
|
||||||
* sscf->shm_zone = NULL;
|
* sscf->shm_zone = NULL;
|
||||||
@ -380,6 +388,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
|
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
|
||||||
"");
|
"");
|
||||||
|
ngx_conf_merge_str_value(conf->trusted_certificate,
|
||||||
|
prev->trusted_certificate, "");
|
||||||
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
|
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
|
||||||
|
|
||||||
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
|
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
|
||||||
@ -479,10 +489,18 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
{
|
{
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
|
if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
|
||||||
return NGX_CONF_ERROR;
|
&conf->trusted_certificate,
|
||||||
}
|
conf->verify_depth)
|
||||||
|
!= NGX_OK)
|
||||||
|
{
|
||||||
|
return NGX_CONF_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
|
||||||
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (conf->prefer_server_ciphers) {
|
if (conf->prefer_server_ciphers) {
|
||||||
|
@ -35,6 +35,7 @@ typedef struct {
|
|||||||
ngx_str_t dhparam;
|
ngx_str_t dhparam;
|
||||||
ngx_str_t ecdh_curve;
|
ngx_str_t ecdh_curve;
|
||||||
ngx_str_t client_certificate;
|
ngx_str_t client_certificate;
|
||||||
|
ngx_str_t trusted_certificate;
|
||||||
ngx_str_t crl;
|
ngx_str_t crl;
|
||||||
|
|
||||||
ngx_str_t ciphers;
|
ngx_str_t ciphers;
|
||||||
|
Loading…
Reference in New Issue
Block a user