From 40e075c3254c18a3dde2dd801f71664c3982845a Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Thu, 19 May 2016 14:46:32 +0300 Subject: [PATCH] OCSP stapling: staple now extracted via SSL_get_certificate(). This makes it possible to properly return OCSP staple with multiple certificates configured. Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+. In older versions SSL_get_certificate() fails to return correct certificate when the certificate status callback is called. --- src/event/ngx_event_openssl_stapling.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c index b1c87b36e..04d554849 100644 --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -185,7 +185,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, done: SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); - SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple); return NGX_OK; } @@ -455,6 +454,7 @@ static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) { int rc; + X509 *cert; u_char *p; ngx_connection_t *c; ngx_ssl_stapling_t *staple; @@ -464,9 +464,15 @@ ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL certificate status callback"); - staple = data; rc = SSL_TLSEXT_ERR_NOACK; + cert = SSL_get_certificate(ssl_conn); + staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); + + if (staple == NULL) { + return rc; + } + if (staple->staple.len && staple->valid >= ngx_time()) {