Klaus Demo nginx / 3648ba7
OCSP stapling: ssl_trusted_certificate directive. The directive allows to specify additional trusted Certificate Authority certificates to be used during certificate verification. In contrast to ssl_client_certificate DNs of these cerificates aren't sent to a client during handshake. Trusted certificates are loaded regardless of the fact whether client certificates verification is enabled as the same certificates will be used for OCSP stapling, during construction of an OCSP request and for verification of an OCSP response. The same applies to a CRL (which is now always loaded). Maxim Dounin 8 years ago
4 changed file(s) with 52 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
290290 ERR_clear_error();
291291
292292 SSL_CTX_set_client_CA_list(ssl->ctx, list);
293
294 return NGX_OK;
295 }
296
297
298 ngx_int_t
299 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
300 ngx_int_t depth)
301 {
302 SSL_CTX_set_verify_depth(ssl->ctx, depth);
303
304 if (cert->len == 0) {
305 return NGX_OK;
306 }
307
308 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
309 return NGX_ERROR;
310 }
311
312 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
313 == 0)
314 {
315 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
316 "SSL_CTX_load_verify_locations(\"%s\") failed",
317 cert->data);
318 return NGX_ERROR;
319 }
293320
294321 return NGX_OK;
295322 }
100100 ngx_str_t *cert, ngx_str_t *key);
101101 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
102102 ngx_str_t *cert, ngx_int_t depth);
103 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
104 ngx_str_t *cert, ngx_int_t depth);
103105 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
104106 RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
105107 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
121121 ngx_conf_set_str_slot,
122122 NGX_HTTP_SRV_CONF_OFFSET,
123123 offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
124 NULL },
125
126 { ngx_string("ssl_trusted_certificate"),
127 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
128 ngx_conf_set_str_slot,
129 NGX_HTTP_SRV_CONF_OFFSET,
130 offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
124131 NULL },
125132
126133 { ngx_string("ssl_prefer_server_ciphers"),
324331 * sscf->dhparam = { 0, NULL };
325332 * sscf->ecdh_curve = { 0, NULL };
326333 * sscf->client_certificate = { 0, NULL };
334 * sscf->trusted_certificate = { 0, NULL };
327335 * sscf->crl = { 0, NULL };
328336 * sscf->ciphers = { 0, NULL };
329337 * sscf->shm_zone = NULL;
379387
380388 ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
381389 "");
390 ngx_conf_merge_str_value(conf->trusted_certificate,
391 prev->trusted_certificate, "");
382392 ngx_conf_merge_str_value(conf->crl, prev->crl, "");
383393
384394 ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
478488 {
479489 return NGX_CONF_ERROR;
480490 }
481
482 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
483 return NGX_CONF_ERROR;
484 }
491 }
492
493 if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
494 &conf->trusted_certificate,
495 conf->verify_depth)
496 != NGX_OK)
497 {
498 return NGX_CONF_ERROR;
499 }
500
501 if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
502 return NGX_CONF_ERROR;
485503 }
486504
487505 if (conf->prefer_server_ciphers) {
3434 ngx_str_t dhparam;
3535 ngx_str_t ecdh_curve;
3636 ngx_str_t client_certificate;
37 ngx_str_t trusted_certificate;
3738 ngx_str_t crl;
3839
3940 ngx_str_t ciphers;