From 18711f7754401dd4ce26faa721e0f0bce41d4c1e Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 17 Mar 2026 19:20:03 +0400 Subject: Stream: fixed client certificate validation with OCSP. Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. --- src/stream/ngx_stream_ssl_module.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src') diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index b7e5db449..0e17cff4d 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -437,6 +437,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) long rc; X509 *cert; ngx_int_t rv; + const char *str; ngx_connection_t *c; ngx_stream_ssl_srv_conf_t *sscf; @@ -487,6 +488,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) X509_free(cert); } + + if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client SSL certificate verify error: %s", str); + + ngx_ssl_remove_cached_session(c->ssl->session_ctx, + (SSL_get0_session(c->ssl->connection))); + return NGX_ERROR; + } } return NGX_OK; -- cgit