Klaus Demo nginx / 85c920a
OCSP stapling: ssl_stapling_file support. Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com Maxim Dounin 8 years ago
4 changed file(s) with 31 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
7676
7777 OPENSSL_MODULE=ngx_openssl_module
7878 OPENSSL_DEPS=src/event/ngx_event_openssl.h
79 OPENSSL_SRCS=src/event/ngx_event_openssl.c
79 OPENSSL_SRCS="src/event/ngx_event_openssl.c \
80 src/event/ngx_event_openssl_stapling.c"
8081
8182
8283 EVENT_MODULES="ngx_events_module ngx_event_core_module"
1616 #include <openssl/conf.h>
1717 #include <openssl/engine.h>
1818 #include <openssl/evp.h>
19 #include <openssl/ocsp.h>
1920
2021 #define NGX_SSL_NAME "OpenSSL"
2122
103104 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
104105 ngx_str_t *cert, ngx_int_t depth);
105106 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
107 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
106108 RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
107109 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
108110 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
156156 ngx_conf_set_str_slot,
157157 NGX_HTTP_SRV_CONF_OFFSET,
158158 offsetof(ngx_http_ssl_srv_conf_t, crl),
159 NULL },
160
161 { ngx_string("ssl_stapling"),
162 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
163 ngx_conf_set_flag_slot,
164 NGX_HTTP_SRV_CONF_OFFSET,
165 offsetof(ngx_http_ssl_srv_conf_t, stapling),
166 NULL },
167
168 { ngx_string("ssl_stapling_file"),
169 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
170 ngx_conf_set_str_slot,
171 NGX_HTTP_SRV_CONF_OFFSET,
172 offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
159173 NULL },
160174
161175 ngx_null_command
335349 * sscf->crl = { 0, NULL };
336350 * sscf->ciphers = { 0, NULL };
337351 * sscf->shm_zone = NULL;
352 * sscf->stapling_file = { 0, NULL };
338353 */
339354
340355 sscf->enable = NGX_CONF_UNSET;
343358 sscf->verify_depth = NGX_CONF_UNSET_UINT;
344359 sscf->builtin_session_cache = NGX_CONF_UNSET;
345360 sscf->session_timeout = NGX_CONF_UNSET;
361 sscf->stapling = NGX_CONF_UNSET;
346362
347363 return sscf;
348364 }
396412
397413 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
398414
415 ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
416 ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
399417
400418 conf->ssl.log = cf->log;
401419
532550 return NGX_CONF_ERROR;
533551 }
534552
553 if (conf->stapling
554 && ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK)
555 {
556 return NGX_CONF_ERROR;
557 }
558
535559 return NGX_CONF_OK;
536560 }
537561
4141
4242 ngx_shm_zone_t *shm_zone;
4343
44 ngx_flag_t stapling;
45 ngx_str_t stapling_file;
46
4447 u_char *file;
4548 ngx_uint_t line;
4649 } ngx_http_ssl_srv_conf_t;