walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Revert "nghttpx: Verify OCSP response using trusted CA certificates" 

This reverts commit 59c78d5809.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-08-30 22:27:02 +09:00
parent 0de9d374df
commit 4be4c0cddc
2 changed files with 8 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/shrpx.cc
View File

@ -2071,14 +2071,11 @@ SSL/TLS:
Don't verify backend server's certificate if TLS is Don't verify backend server's certificate if TLS is
enabled for backend connections. enabled for backend connections.
--cacert=<PATH> --cacert=<PATH>
Set path to trusted CA certificate file. It is used in Set path to trusted CA certificate file used in backend
backend TLS connections to verify peer's certificate. TLS connections. The file must be in PEM format. It
It is also used to verify OCSP response from the script can contain multiple certificates. If the linked
set by --fetch-ocsp-response-file. The file must be in OpenSSL is configured to load system wide certificates,
PEM format. It can contain multiple certificates. If they are loaded at startup regardless of this option.
the linked OpenSSL is configured to load system wide
certificates, they are loaded at startup regardless of
this option.
--private-key-passwd-file=<PATH> --private-key-passwd-file=<PATH>
Path to file that contains password for the server's Path to file that contains password for the server's
private key. If none is given and the private key is private key. If none is given and the private key is

21
src/shrpx_tls.cc
View File

@ -831,22 +831,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
} }
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
LOG(WARN) << "Could not load system trusted ca certificates: "
<< ERR_error_string(ERR_get_error(), nullptr);
}
if (!tlsconf.cacert.empty()) {
if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
nullptr) != 1) {
LOG(FATAL) << "Could not load trusted ca certificates from "
<< tlsconf.cacert << ": "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
if (!tlsconf.private_key_passwd.empty()) { if (!tlsconf.private_key_passwd.empty()) {
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb); SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@ -1864,11 +1848,12 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
} }
auto bs_deleter = defer(OCSP_BASICRESP_free, bs); auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
auto store = SSL_CTX_get_cert_store(ssl_ctx); auto store = X509_STORE_new();
auto store_deleter = defer(X509_STORE_free, store);
ERR_clear_error(); ERR_clear_error();
rv = OCSP_basic_verify(bs, chain_certs, store, 0); rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
if (rv != 1) { if (rv != 1) {
LOG(ERROR) << "OCSP_basic_verify failed: " LOG(ERROR) << "OCSP_basic_verify failed: "