OCSP stapling: staple now extracted via SSL_get_certificate().

This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.
This commit is contained in:
Maxim Dounin 2016-05-19 14:46:32 +03:00
parent b4276f2447
commit 40e075c325

View File

@ -185,7 +185,6 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
done: done:
SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
return NGX_OK; return NGX_OK;
} }
@ -455,6 +454,7 @@ static int
ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
{ {
int rc; int rc;
X509 *cert;
u_char *p; u_char *p;
ngx_connection_t *c; ngx_connection_t *c;
ngx_ssl_stapling_t *staple; ngx_ssl_stapling_t *staple;
@ -464,9 +464,15 @@ ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL certificate status callback"); "SSL certificate status callback");
staple = data;
rc = SSL_TLSEXT_ERR_NOACK; rc = SSL_TLSEXT_ERR_NOACK;
cert = SSL_get_certificate(ssl_conn);
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
if (staple == NULL) {
return rc;
}
if (staple->staple.len if (staple->staple.len
&& staple->valid >= ngx_time()) && staple->valid >= ngx_time())
{ {