Commit 85c920a0cd4983679fe51ad492abf5dea8ccc497 - nginx

OCSP stapling: ssl_stapling_file support. Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com Maxim Dounin 8 years ago

4 changed file(s) with 31 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all

-1

auto/sources less more

76	76
77	77	OPENSSL_MODULE=ngx_openssl_module
78	78	OPENSSL_DEPS=src/event/ngx_event_openssl.h
79		OPENSSL_SRCS=src/event/ngx_event_openssl.c
	79	OPENSSL_SRCS="src/event/ngx_event_openssl.c \
	80	src/event/ngx_event_openssl_stapling.c"
80	81
81	82
82	83	EVENT_MODULES="ngx_events_module ngx_event_core_module"

-0

src/event/ngx_event_openssl.h less more

16	16	#include <openssl/conf.h>
17	17	#include <openssl/engine.h>
18	18	#include <openssl/evp.h>
	19	#include <openssl/ocsp.h>
19	20
20	21	#define NGX_SSL_NAME "OpenSSL"
21	22

103	104	ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
104	105	ngx_str_t *cert, ngx_int_t depth);
105	106	ngx_int_t ngx_ssl_crl(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *crl);
	107	ngx_int_t ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file);
106	108	RSA ngx_ssl_rsa512_key_callback(SSL ssl, int is_export, int key_length);
107	109	ngx_int_t ngx_ssl_dhparam(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file);
108	110	ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *name);

+24

-0

src/http/modules/ngx_http_ssl_module.c less more

156	156	ngx_conf_set_str_slot,
157	157	NGX_HTTP_SRV_CONF_OFFSET,
158	158	offsetof(ngx_http_ssl_srv_conf_t, crl),
	159	NULL },
	160
	161	{ ngx_string("ssl_stapling"),
	162	NGX_HTTP_MAIN_CONF\|NGX_HTTP_SRV_CONF\|NGX_CONF_FLAG,
	163	ngx_conf_set_flag_slot,
	164	NGX_HTTP_SRV_CONF_OFFSET,
	165	offsetof(ngx_http_ssl_srv_conf_t, stapling),
	166	NULL },
	167
	168	{ ngx_string("ssl_stapling_file"),
	169	NGX_HTTP_MAIN_CONF\|NGX_HTTP_SRV_CONF\|NGX_CONF_TAKE1,
	170	ngx_conf_set_str_slot,
	171	NGX_HTTP_SRV_CONF_OFFSET,
	172	offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
159	173	NULL },
160	174
161	175	ngx_null_command

335	349	* sscf->crl = { 0, NULL };
336	350	* sscf->ciphers = { 0, NULL };
337	351	* sscf->shm_zone = NULL;
	352	* sscf->stapling_file = { 0, NULL };
338	353	*/
339	354
340	355	sscf->enable = NGX_CONF_UNSET;

343	358	sscf->verify_depth = NGX_CONF_UNSET_UINT;
344	359	sscf->builtin_session_cache = NGX_CONF_UNSET;
345	360	sscf->session_timeout = NGX_CONF_UNSET;
	361	sscf->stapling = NGX_CONF_UNSET;
346	362
347	363	return sscf;
348	364	}

396	412
397	413	ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
398	414
	415	ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
	416	ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
399	417
400	418	conf->ssl.log = cf->log;
401	419

532	550	return NGX_CONF_ERROR;
533	551	}
534	552
	553	if (conf->stapling
	554	&& ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file) != NGX_OK)
	555	{
	556	return NGX_CONF_ERROR;
	557	}
	558
535	559	return NGX_CONF_OK;
536	560	}
537	561

-0

src/http/modules/ngx_http_ssl_module.h less more

41	41
42	42	ngx_shm_zone_t *shm_zone;
43	43
	44	ngx_flag_t stapling;
	45	ngx_str_t stapling_file;
	46
44	47	u_char *file;
45	48	ngx_uint_t line;
46	49	} ngx_http_ssl_srv_conf_t;