nginx.git/src, branch release-1.3.7 nginx OCSP stapling: build fixes. 2012-10-01T13:54:13+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T13:54:13+00:00 7eea509776b9dfc35b4b0b45f0aceeb36420aacd With the "ssl_stapling_verify" commit build with old OpenSSL libraries was broken due to incorrect prototype of the ngx_ssl_stapling() function. One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in and broke win32 build. 
With the "ssl_stapling_verify" commit build with old OpenSSL libraries
was broken due to incorrect prototype of the ngx_ssl_stapling() function.
One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in
and broke win32 build.
OCSP stapling: ssl_stapling_verify directive. 2012-10-01T12:53:11+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:53:11+00:00 bec2cc5286e5888eb1de9462f7c64b922967b47b OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients. 
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used. 2012-10-01T12:51:27+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:51:27+00:00 3ebbb7d521e9faeebdfdbba0a98a7a029e56c0a2 This is expected to simplify configuration in a common case when OCSP response is signed by a certificate already present in ssl_certificate chain. This case won't need any extra trusted certificates. 
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.
OCSP stapling: log error data in ngx_ssl_error(). 2012-10-01T12:50:36+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:50:36+00:00 1a07a7f2de10b59a0942706d3049e9da86e55a2a It's hard to debug OCSP_basic_verify() failures without the actual error string it records in the error data field. 
It's hard to debug OCSP_basic_verify() failures without the actual error
string it records in the error data field.
OCSP stapling: check Content-Type. 2012-10-01T12:48:54+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:48:54+00:00 872563a64d8d0952a3b9f058cd763440421427c7 This will result in better error message in case of incorrect response from OCSP responder: ... OCSP responder sent invalid "Content-Type" header: "text/plain" while requesting certificate status, responder: ... vs. ... d2i_OCSP_RESPONSE() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error) while requesting certificate status, responder: ... 
This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...
OCSP stapling: loading OCSP responses. 2012-10-01T12:47:55+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:47:55+00:00 74ad4494a66d7ea5201c37f6628707404df723fe This includes the ssl_stapling_responder directive (defaults to OCSP responder set in certificate's AIA extension). OCSP response for a given certificate is requested once we get at least one connection with certificate_status extension in ClientHello, and certificate status won't be sent in the connection in question. This due to limitations in the OpenSSL API (certificate status callback is blocking). Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't allow to access the certificate loaded via SSL_CTX. 
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
OCSP stapling: the ngx_event_openssl_stapling.c file. 2012-10-01T12:42:43+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:42:43+00:00 f7ec295fb4bd81d8840e51021d44270ccd9ab222 Missed in previous commit. 
Missed in previous commit.
OCSP stapling: ssl_stapling_file support. 2012-10-01T12:41:08+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:41:08+00:00 85c920a0cd4983679fe51ad492abf5dea8ccc497 Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com 
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
             -url http://ocsp.example.com
OCSP stapling: ssl_trusted_certificate directive. 2012-10-01T12:39:36+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-01T12:39:36+00:00 3648ba7db833d318269daba2a8d6be42660c5b60 The directive allows to specify additional trusted Certificate Authority certificates to be used during certificate verification. In contrast to ssl_client_certificate DNs of these cerificates aren't sent to a client during handshake. Trusted certificates are loaded regardless of the fact whether client certificates verification is enabled as the same certificates will be used for OCSP stapling, during construction of an OCSP request and for verification of an OCSP response. The same applies to a CRL (which is now always loaded). 
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
Resolver: cached addresses are returned with random rotation now. 2012-09-28T18:28:38+00:00 Maxim Dounin mdounin@mdounin.ru 2012-09-28T18:28:38+00:00 6a0f47e0797c8b797c806fab16ffc5bab40c0577 This ensures balancing when working with dynamically resolved upstream servers with multiple addresses. Based on patch by Anton Jouline. 
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.

Based on patch by Anton Jouline.