nginx.git/src/event/ngx_event_openssl_stapling.c, branch release-1.29.2 nginx SSL: moved certificate storage out of exdata. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:02:27+00:00 f36ff3550a7271a618edb119f064dddd086cc380 Instead of cross-linking the objects using exdata, pointers to configured certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed with rbtree in it. This allows sharing these objects between SSL contexts. Based on previous work by Mini Hawthorne. 
Instead of cross-linking the objects using exdata, pointers to configured
certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed
with rbtree in it.  This allows sharing these objects between SSL contexts.

Based on previous work by Mini Hawthorne.
SSL: reasonable version for LibreSSL adjusted. 2023-12-25T17:15:48+00:00 Sergey Kandaurov pluknet@nginx.com 2023-12-25T17:15:48+00:00 f255815f5d161fab0dd310fe826d4f7572e141f2 OPENSSL_VERSION_NUMBER is now redefined to 0x1010000fL for LibreSSL 3.5.0 and above. Building with older LibreSSL versions, such as 2.8.0, may now produce warnings (see cab37803ebb3) and may require appropriate compiler options to suppress them. Notably, this allows to start using SSL_get0_verified_chain() appeared in OpenSSL 1.1.0 and LibreSSL 3.5.0, without additional macro tests. Prodded by Ilya Shipitsin. 
OPENSSL_VERSION_NUMBER is now redefined to 0x1010000fL for LibreSSL 3.5.0
and above.  Building with older LibreSSL versions, such as 2.8.0, may now
produce warnings (see cab37803ebb3) and may require appropriate compiler
options to suppress them.

Notably, this allows to start using SSL_get0_verified_chain() appeared
in OpenSSL 1.1.0 and LibreSSL 3.5.0, without additional macro tests.

Prodded by Ilya Shipitsin.
Core: added format specifiers to output binary data as hex. 2020-10-28T07:56:11+00:00 Vladimir Homutov vl@nginx.com 2020-10-28T07:56:11+00:00 3c0427373381097a9e25ccc2cb46bbc1ccac87a2 Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase) or "X" (uppercase) to output corresponding data in hexadecimal format. In collaboration with Maxim Dounin. 
Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase)
or "X" (uppercase) to output corresponding data in hexadecimal format.

In collaboration with Maxim Dounin.
OCSP: fixed certificate reference leak. 2020-07-23T14:31:09+00:00 Sergey Kandaurov pluknet@nginx.com 2020-07-23T14:31:09+00:00 4ee66b3f7bb176915cfb0e7f3ab37d06fd6924bd 






OCSP: fixed use-after-free on error.
2020-06-15T17:17:16+00:00

Roman Arutyunyan
arut@nginx.com

2020-06-15T17:17:16+00:00

7547581bbcb7b737710f9141260d822a08685b83

When validating second and further certificates, ssl callback could be called
twice to report the error.  After the first call client connection is
terminated and its memory is released.  Prior to the second call and in it
released connection memory is accessed.

Errors triggering this behavior:
- failure to create the request
- failure to start resolving OCSP responder name
- failure to start connecting to the OCSP responder

The fix is to rearrange the code to eliminate the second call.





When validating second and further certificates, ssl callback could be called
twice to report the error.  After the first call client connection is
terminated and its memory is released.  Prior to the second call and in it
released connection memory is accessed.

Errors triggering this behavior:
- failure to create the request
- failure to start resolving OCSP responder name
- failure to start connecting to the OCSP responder

The fix is to rearrange the code to eliminate the second call.







Fixed format specifiers.
2020-05-23T12:53:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2020-05-23T12:53:08+00:00

9b87626b0bdd0e6c87d76f1a50302ca9e3df2fc1












OCSP: certificate status cache.
2020-05-22T14:25:27+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:25:27+00:00

5727f9a1e0cca082eb1f3e599e0453a7a9cfe319

When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.





When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.







SSL: client certificate validation with OCSP (ticket #1534).
2020-05-22T14:30:12+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:30:12+00:00

60438ae395d83b0f8b21bf667a1e260d60c3f46a

OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.





OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.







OCSP stapling: iterate over all responder addresses.
2020-05-22T17:35:05+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T17:35:05+00:00

aa94ee82f6040c8e2cbde3ae4de931c23fade3f3

Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).





Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).







OCSP stapling: keep extra chain in the staple object.
2020-05-17T11:24:35+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-17T11:24:35+00:00

abdb9aebc6fa165cc2a77a555f309a4eec6947dd