diff --git a/src/shrpx.cc b/src/shrpx.cc index ff92e1af..f8a8f364 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2071,11 +2071,14 @@ SSL/TLS: Don't verify backend server's certificate if TLS is enabled for backend connections. --cacert= - Set path to trusted CA certificate file used in backend - TLS connections. The file must be in PEM format. It - can contain multiple certificates. If the linked - OpenSSL is configured to load system wide certificates, - they are loaded at startup regardless of this option. + Set path to trusted CA certificate file. It is used in + backend TLS connections to verify peer's certificate. + It is also used to verify OCSP response from the script + set by --fetch-ocsp-response-file. The file must be in + PEM format. It can contain multiple certificates. If + the linked OpenSSL is configured to load system wide + certificates, they are loaded at startup regardless of + this option. --private-key-passwd-file= Path to file that contains password for the server's private key. If none is given and the private key is diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 43737b58..19899d83 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -831,6 +831,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); + + if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) { + LOG(WARN) << "Could not load system trusted ca certificates: " + << ERR_error_string(ERR_get_error(), nullptr); + } + + if (!tlsconf.cacert.empty()) { + if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(), + nullptr) != 1) { + LOG(FATAL) << "Could not load trusted ca certificates from " + << tlsconf.cacert << ": " + << ERR_error_string(ERR_get_error(), nullptr); + DIE(); + } + } + if (!tlsconf.private_key_passwd.empty()) { SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config); @@ -1848,12 +1864,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, } auto bs_deleter = defer(OCSP_BASICRESP_free, bs); - auto store = X509_STORE_new(); - auto store_deleter = defer(X509_STORE_free, store); + auto store = SSL_CTX_get_cert_store(ssl_ctx); ERR_clear_error(); - rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER); + rv = OCSP_basic_verify(bs, chain_certs, store, 0); if (rv != 1) { LOG(ERROR) << "OCSP_basic_verify failed: "