OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com
This commit is contained in:
parent
9125e5adff
commit
f82645a67a
|
@ -77,7 +77,8 @@ REGEX_SRCS=src/core/ngx_regex.c
|
|||
|
||||
OPENSSL_MODULE=ngx_openssl_module
|
||||
OPENSSL_DEPS=src/event/ngx_event_openssl.h
|
||||
OPENSSL_SRCS=src/event/ngx_event_openssl.c
|
||||
OPENSSL_SRCS="src/event/ngx_event_openssl.c \
|
||||
src/event/ngx_event_openssl_stapling.c"
|
||||
|
||||
|
||||
EVENT_MODULES="ngx_events_module ngx_event_core_module"
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
#include <openssl/conf.h>
|
||||
#include <openssl/engine.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/ocsp.h>
|
||||
|
||||
#define NGX_SSL_NAME "OpenSSL"
|
||||
|
||||
|
@ -104,6 +105,7 @@ ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
|||
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
|
||||
ngx_str_t *cert, ngx_int_t depth);
|
||||
ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
|
||||
ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
||||
RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
|
||||
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
|
||||
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
|
||||
|
|
|
@ -159,6 +159,20 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|||
offsetof(ngx_http_ssl_srv_conf_t, crl),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_stapling"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
||||
ngx_conf_set_flag_slot,
|
||||
NGX_HTTP_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_http_ssl_srv_conf_t, stapling),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_stapling_file"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_str_slot,
|
||||
NGX_HTTP_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
|
||||
NULL },
|
||||
|
||||
ngx_null_command
|
||||
};
|
||||
|
||||
|
@ -336,6 +350,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||
* sscf->crl = { 0, NULL };
|
||||
* sscf->ciphers = { 0, NULL };
|
||||
* sscf->shm_zone = NULL;
|
||||
* sscf->stapling_file = { 0, NULL };
|
||||
*/
|
||||
|
||||
sscf->enable = NGX_CONF_UNSET;
|
||||
|
@ -344,6 +359,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|||
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
||||
sscf->builtin_session_cache = NGX_CONF_UNSET;
|
||||
sscf->session_timeout = NGX_CONF_UNSET;
|
||||
sscf->stapling = NGX_CONF_UNSET;
|
||||
|
||||
return sscf;
|
||||
}
|
||||
|
@ -397,6 +413,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
|
||||
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
|
||||
|
||||
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
|
||||
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
|
||||
|
||||
conf->ssl.log = cf->log;
|
||||
|
||||
|
@ -533,6 +551,12 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (conf->stapling
|
||||
&& ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK)
|
||||
{
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
return NGX_CONF_OK;
|
||||
}
|
||||
|
||||
|
|
|
@ -42,6 +42,9 @@ typedef struct {
|
|||
|
||||
ngx_shm_zone_t *shm_zone;
|
||||
|
||||
ngx_flag_t stapling;
|
||||
ngx_str_t stapling_file;
|
||||
|
||||
u_char *file;
|
||||
ngx_uint_t line;
|
||||
} ngx_http_ssl_srv_conf_t;
|
||||
|
|
Loading…
Reference in New Issue