Merge pull request #943 from nghttp2/nghttpx-verify-ocsp-resp-with-cacerts

nghttpx: Verify OCSP response using trusted CA certificates
This commit is contained in:
Tatsuhiro Tsujikawa 2017-06-15 20:56:44 +09:00 committed by GitHub
commit a18d154e0e
2 changed files with 26 additions and 8 deletions

View File

@ -2071,11 +2071,14 @@ SSL/TLS:
Don't verify backend server's certificate if TLS is Don't verify backend server's certificate if TLS is
enabled for backend connections. enabled for backend connections.
--cacert=<PATH> --cacert=<PATH>
Set path to trusted CA certificate file used in backend Set path to trusted CA certificate file. It is used in
TLS connections. The file must be in PEM format. It backend TLS connections to verify peer's certificate.
can contain multiple certificates. If the linked It is also used to verify OCSP response from the script
OpenSSL is configured to load system wide certificates, set by --fetch-ocsp-response-file. The file must be in
they are loaded at startup regardless of this option. PEM format. It can contain multiple certificates. If
the linked OpenSSL is configured to load system wide
certificates, they are loaded at startup regardless of
this option.
--private-key-passwd-file=<PATH> --private-key-passwd-file=<PATH>
Path to file that contains password for the server's Path to file that contains password for the server's
private key. If none is given and the private key is private key. If none is given and the private key is

View File

@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
} }
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
LOG(WARN) << "Could not load system trusted ca certificates: "
<< ERR_error_string(ERR_get_error(), nullptr);
}
if (!tlsconf.cacert.empty()) {
if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
nullptr) != 1) {
LOG(FATAL) << "Could not load trusted ca certificates from "
<< tlsconf.cacert << ": "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
if (!tlsconf.private_key_passwd.empty()) { if (!tlsconf.private_key_passwd.empty()) {
SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb); SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@ -1844,12 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
} }
auto bs_deleter = defer(OCSP_BASICRESP_free, bs); auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
auto store = X509_STORE_new(); auto store = SSL_CTX_get_cert_store(ssl_ctx);
auto store_deleter = defer(X509_STORE_free, store);
ERR_clear_error(); ERR_clear_error();
rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER); rv = OCSP_basic_verify(bs, chain_certs, store, 0);
if (rv != 1) { if (rv != 1) {
LOG(ERROR) << "OCSP_basic_verify failed: " LOG(ERROR) << "OCSP_basic_verify failed: "