Revert "nghttpx: Verify OCSP response using trusted CA certificates"
This reverts commit 59c78d5809
.
This commit is contained in:
parent
0de9d374df
commit
4be4c0cddc
13
src/shrpx.cc
13
src/shrpx.cc
|
@ -2071,14 +2071,11 @@ SSL/TLS:
|
|||
Don't verify backend server's certificate if TLS is
|
||||
enabled for backend connections.
|
||||
--cacert=<PATH>
|
||||
Set path to trusted CA certificate file. It is used in
|
||||
backend TLS connections to verify peer's certificate.
|
||||
It is also used to verify OCSP response from the script
|
||||
set by --fetch-ocsp-response-file. The file must be in
|
||||
PEM format. It can contain multiple certificates. If
|
||||
the linked OpenSSL is configured to load system wide
|
||||
certificates, they are loaded at startup regardless of
|
||||
this option.
|
||||
Set path to trusted CA certificate file used in backend
|
||||
TLS connections. The file must be in PEM format. It
|
||||
can contain multiple certificates. If the linked
|
||||
OpenSSL is configured to load system wide certificates,
|
||||
they are loaded at startup regardless of this option.
|
||||
--private-key-passwd-file=<PATH>
|
||||
Path to file that contains password for the server's
|
||||
private key. If none is given and the private key is
|
||||
|
|
|
@ -831,22 +831,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
|||
}
|
||||
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
|
||||
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
||||
LOG(WARN) << "Could not load system trusted ca certificates: "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
}
|
||||
|
||||
if (!tlsconf.cacert.empty()) {
|
||||
if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
|
||||
nullptr) != 1) {
|
||||
LOG(FATAL) << "Could not load trusted ca certificates from "
|
||||
<< tlsconf.cacert << ": "
|
||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
}
|
||||
|
||||
if (!tlsconf.private_key_passwd.empty()) {
|
||||
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
|
||||
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
|
||||
|
@ -1864,11 +1848,12 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
|
|||
}
|
||||
auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
|
||||
|
||||
auto store = SSL_CTX_get_cert_store(ssl_ctx);
|
||||
auto store = X509_STORE_new();
|
||||
auto store_deleter = defer(X509_STORE_free, store);
|
||||
|
||||
ERR_clear_error();
|
||||
|
||||
rv = OCSP_basic_verify(bs, chain_certs, store, 0);
|
||||
rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
|
||||
|
||||
if (rv != 1) {
|
||||
LOG(ERROR) << "OCSP_basic_verify failed: "
|
||||
|
|
Loading…
Reference in New Issue