diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-10-02 15:22:24 +0400 |
|---|---|---|
| committer | pluknet <s.kandaurov@f5.com> | 2025-10-08 19:56:41 +0400 |
| commit | 25b03d650087b4d653f99a7ce65582ab565c5a44 (patch) | |
| tree | cbad25a636017a0eb9ea705f0b13ed36ee745f06 /src/http/modules | |
| parent | f5a989cda24d79789d2b8e4f9de21deac4b83d92 (diff) | |
| download | nginx-25b03d650087b4d653f99a7ce65582ab565c5a44.tar.gz nginx-25b03d650087b4d653f99a7ce65582ab565c5a44.tar.bz2 | |
SSL: disabled using certificate compression with OCSP stapling.
OCSP response in TLSv1.3 is sent in the Certificate message. This
is incompatible with pre-compression of the configured certificates.
Diffstat (limited to 'src/http/modules')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 3778758e2..7a6f49c3f 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -910,13 +910,19 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) if (conf->stapling) { + if (conf->certificate_compression) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ssl_stapling\" is incompatible with " + "\"ssl_certificate_compression\""); + return NGX_CONF_ERROR; + } + if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, &conf->stapling_responder, conf->stapling_verify) != NGX_OK) { return NGX_CONF_ERROR; } - } if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { |