nghttpx: Verify OCSP response using trusted CA certificates
This commit is contained in:
parent
5833ef1efc
commit
59c78d5809
13
src/shrpx.cc
13
src/shrpx.cc
|
@ -2071,11 +2071,14 @@ SSL/TLS:
|
||||||
Don't verify backend server's certificate if TLS is
|
Don't verify backend server's certificate if TLS is
|
||||||
enabled for backend connections.
|
enabled for backend connections.
|
||||||
--cacert=<PATH>
|
--cacert=<PATH>
|
||||||
Set path to trusted CA certificate file used in backend
|
Set path to trusted CA certificate file. It is used in
|
||||||
TLS connections. The file must be in PEM format. It
|
backend TLS connections to verify peer's certificate.
|
||||||
can contain multiple certificates. If the linked
|
It is also used to verify OCSP response from the script
|
||||||
OpenSSL is configured to load system wide certificates,
|
set by --fetch-ocsp-response-file. The file must be in
|
||||||
they are loaded at startup regardless of this option.
|
PEM format. It can contain multiple certificates. If
|
||||||
|
the linked OpenSSL is configured to load system wide
|
||||||
|
certificates, they are loaded at startup regardless of
|
||||||
|
this option.
|
||||||
--private-key-passwd-file=<PATH>
|
--private-key-passwd-file=<PATH>
|
||||||
Path to file that contains password for the server's
|
Path to file that contains password for the server's
|
||||||
private key. If none is given and the private key is
|
private key. If none is given and the private key is
|
||||||
|
|
|
@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
|
|
||||||
|
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
||||||
|
LOG(WARN) << "Could not load system trusted ca certificates: "
|
||||||
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!tlsconf.cacert.empty()) {
|
||||||
|
if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
|
||||||
|
nullptr) != 1) {
|
||||||
|
LOG(FATAL) << "Could not load trusted ca certificates from "
|
||||||
|
<< tlsconf.cacert << ": "
|
||||||
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
DIE();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!tlsconf.private_key_passwd.empty()) {
|
if (!tlsconf.private_key_passwd.empty()) {
|
||||||
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
|
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
|
||||||
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
|
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
|
||||||
|
@ -1844,12 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
|
||||||
}
|
}
|
||||||
auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
|
auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
|
||||||
|
|
||||||
auto store = X509_STORE_new();
|
auto store = SSL_CTX_get_cert_store(ssl_ctx);
|
||||||
auto store_deleter = defer(X509_STORE_free, store);
|
|
||||||
|
|
||||||
ERR_clear_error();
|
ERR_clear_error();
|
||||||
|
|
||||||
rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
|
rv = OCSP_basic_verify(bs, chain_certs, store, 0);
|
||||||
|
|
||||||
if (rv != 1) {
|
if (rv != 1) {
|
||||||
LOG(ERROR) << "OCSP_basic_verify failed: "
|
LOG(ERROR) << "OCSP_basic_verify failed: "
|
||||||
|
|
Loading…
Reference in New Issue