Revert "nghttpx: Verify OCSP response using trusted CA certificates"

This reverts commit 59c78d5809.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-08-30 22:27:02 +09:00
parent 0de9d374df
commit 4be4c0cddc
2 changed files with 8 additions and 26 deletions

View File

@ -2071,14 +2071,11 @@ SSL/TLS:
Don't verify backend server's certificate if TLS is
enabled for backend connections.
--cacert=<PATH>
Set path to trusted CA certificate file. It is used in
backend TLS connections to verify peer's certificate.
It is also used to verify OCSP response from the script
set by --fetch-ocsp-response-file. The file must be in
PEM format. It can contain multiple certificates. If
the linked OpenSSL is configured to load system wide
certificates, they are loaded at startup regardless of
this option.
Set path to trusted CA certificate file used in backend
TLS connections. The file must be in PEM format. It
can contain multiple certificates. If the linked
OpenSSL is configured to load system wide certificates,
they are loaded at startup regardless of this option.
--private-key-passwd-file=<PATH>
Path to file that contains password for the server's
private key. If none is given and the private key is

View File

@ -831,22 +831,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
LOG(WARN) << "Could not load system trusted ca certificates: "
<< ERR_error_string(ERR_get_error(), nullptr);
}
if (!tlsconf.cacert.empty()) {
if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
nullptr) != 1) {
LOG(FATAL) << "Could not load trusted ca certificates from "
<< tlsconf.cacert << ": "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
if (!tlsconf.private_key_passwd.empty()) {
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@ -1864,11 +1848,12 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
}
auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
auto store = SSL_CTX_get_cert_store(ssl_ctx);
auto store = X509_STORE_new();
auto store_deleter = defer(X509_STORE_free, store);
ERR_clear_error();
rv = OCSP_basic_verify(bs, chain_certs, store, 0);
rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
if (rv != 1) {
LOG(ERROR) << "OCSP_basic_verify failed: "