# HG changeset patch # User Jürno Ader <jyrn...@gmail.com> # Date 1488987398 -7200 # Wed Mar 08 17:36:38 2017 +0200 # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0 # Parent d450723755728f9d0cc291247b9601e2f3340f19 SSL: Added crl_check_mode
Added crl_check_mode flag which can be used to modify flags used for the X509_STORE created in ngx_ssl_crl. This makes it possible to use Estonian Identity card revocation lists with nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed since the root certificate for ESTEID does not have a proper CRL available. This patch implements the flag for the following modules: - http_proxy - http_ssl - http_uwsgi - mail_ssl - stream_proxy - stream_ssl diff -r d45072375572 -r 9c13ae0d54a7 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/event/ngx_event_openssl.c Wed Mar 08 17:36:38 2017 +0200 @@ -737,7 +737,8 @@ ngx_int_t -ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) +ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl, + ngx_uint_t crl_check_mode) { X509_STORE *store; X509_LOOKUP *lookup; @@ -774,8 +775,23 @@ return NGX_ERROR; } - X509_STORE_set_flags(store, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + unsigned long crl_flags; + + switch (crl_check_mode) { + + case NGX_SSL_CRL_CHECK_LEAF: + crl_flags = X509_V_FLAG_CRL_CHECK; + break; + + case NGX_SSL_CRL_CHECK_CHAIN: + crl_flags = X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + break; + + default: + crl_flags = 0; + } + + X509_STORE_set_flags(store, crl_flags); return NGX_OK; } diff -r d45072375572 -r 9c13ae0d54a7 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Tue Mar 07 18:51:17 2017 +0300 +++ b/src/event/ngx_event_openssl.h Wed Mar 08 17:36:38 2017 +0200 @@ -138,6 +138,9 @@ #define NGX_SSL_BUFSIZE 16384 +#define NGX_SSL_CRL_CHECK_NONE 0 +#define NGX_SSL_CRL_CHECK_LEAF 1 +#define NGX_SSL_CRL_CHECK_CHAIN 2 ngx_int_t ngx_ssl_init(ngx_log_t *log); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); @@ -151,7 +154,8 @@ ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); -ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); +ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl, + ngx_uint_t crl_check_mode); ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/http/modules/ngx_http_proxy_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -97,6 +97,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_uint_t ssl_crl_check_mode; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -237,6 +238,14 @@ { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_proxy_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + #endif @@ -692,6 +701,13 @@ offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), NULL }, + { ngx_string("proxy_ssl_crl_check_mode"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_crl_check_mode), + &ngx_http_proxy_ssl_crl_check_mode }, + { ngx_string("proxy_ssl_certificate"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -2884,6 +2900,7 @@ conf->upstream.ssl_verify = NGX_CONF_UNSET; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT; #endif /* "proxy_cyclic_temp_file" is disabled */ @@ -3218,6 +3235,9 @@ ngx_conf_merge_str_value(conf->ssl_trusted_certificate, prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_uint_value(conf->ssl_crl_check_mode, + prev->ssl_crl_check_mode, + NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -4378,7 +4398,10 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl, + plcf->ssl_crl_check_mode) + != NGX_OK) + { return NGX_ERROR; } } diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -70,6 +70,14 @@ }; +static ngx_conf_enum_t ngx_http_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_http_ssl_commands[] = { { ngx_string("ssl"), @@ -205,6 +213,13 @@ offsetof(ngx_http_ssl_srv_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_mode"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, crl_check_mode), + &ngx_http_ssl_crl_check_mode }, + { ngx_string("ssl_stapling"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, @@ -554,6 +569,7 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->crl_check_mode = NGX_CONF_UNSET_UINT; return sscf; } @@ -607,6 +623,8 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_uint_value(conf->crl_check_mode, prev->crl_check_mode, + NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -744,7 +762,10 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, + conf->crl_check_mode) + != NGX_OK) + { return NGX_CONF_ERROR; } diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Tue Mar 07 18:51:17 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Wed Mar 08 17:36:38 2017 +0200 @@ -40,6 +40,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_uint_t crl_check_mode; ngx_str_t ciphers; diff -r d45072375572 -r 9c13ae0d54a7 src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -54,6 +54,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_uint_t ssl_crl_check_mode; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -131,6 +132,14 @@ { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_uwsgi_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + #endif @@ -530,6 +539,13 @@ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl), NULL }, + { ngx_string("uwsgi_ssl_crl_check_mode"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl_check_mode), + &ngx_http_uwsgi_ssl_crl_check_mode }, + { ngx_string("uwsgi_ssl_certificate"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -1446,6 +1462,7 @@ conf->upstream.ssl_verify = NGX_CONF_UNSET; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT; #endif /* "uwsgi_cyclic_temp_file" is disabled */ @@ -1766,6 +1783,9 @@ ngx_conf_merge_str_value(conf->ssl_trusted_certificate, prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_uint_value(conf->ssl_crl_check_mode, + prev->ssl_crl_check_mode, + NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -2381,7 +2401,10 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, uwcf->upstream.ssl, &uwcf->ssl_crl, + uwcf->ssl_crl_check_mode) + != NGX_OK) + { return NGX_ERROR; } } diff -r d45072375572 -r 9c13ae0d54a7 src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/mail/ngx_mail_ssl_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -55,6 +55,14 @@ }; +static ngx_conf_enum_t ngx_mail_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_mail_ssl_commands[] = { { ngx_string("ssl"), @@ -190,6 +198,13 @@ offsetof(ngx_mail_ssl_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_mode"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, crl_check_mode), + &ngx_mail_ssl_crl_check_mode }, + ngx_null_command }; @@ -259,6 +274,7 @@ scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; scf->session_ticket_keys = NGX_CONF_UNSET_PTR; + scf->crl_check_mode = NGX_CONF_UNSET_UINT; return scf; } @@ -306,6 +322,8 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_uint_value(conf->crl_check_mode, + prev->crl_check_mode, NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS); @@ -417,7 +435,9 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_mode) + != NGX_OK) + { return NGX_CONF_ERROR; } } diff -r d45072375572 -r 9c13ae0d54a7 src/mail/ngx_mail_ssl_module.h --- a/src/mail/ngx_mail_ssl_module.h Tue Mar 07 18:51:17 2017 +0300 +++ b/src/mail/ngx_mail_ssl_module.h Wed Mar 08 17:36:38 2017 +0200 @@ -43,6 +43,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_uint_t crl_check_mode; ngx_str_t ciphers; diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -44,6 +44,7 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_uint_t ssl_crl_check_mode; ngx_str_t ssl_certificate; ngx_str_t ssl_certificate_key; ngx_array_t *ssl_passwords; @@ -106,6 +107,14 @@ { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_stream_proxy_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + #endif @@ -290,6 +299,13 @@ offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl), NULL }, + { ngx_string("proxy_ssl_crl_check_mode"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl_check_mode), + &ngx_stream_proxy_ssl_crl_check_mode }, + { ngx_string("proxy_ssl_certificate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -1858,6 +1874,7 @@ conf->ssl_verify = NGX_CONF_UNSET; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_crl_check_mode = NGX_CONF_UNSET_UINT; #endif return conf; @@ -1928,6 +1945,9 @@ prev->ssl_trusted_certificate, ""); ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); + ngx_conf_merge_uint_value(conf->ssl_crl_check_mode, + prev->ssl_crl_check_mode, + NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ssl_certificate, prev->ssl_certificate, ""); @@ -2009,7 +2029,10 @@ return NGX_ERROR; } - if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl) != NGX_OK) { + if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl, + pscf->ssl_crl_check_mode) + != NGX_OK) + { return NGX_ERROR; } } diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c Tue Mar 07 18:51:17 2017 +0300 +++ b/src/stream/ngx_stream_ssl_module.c Wed Mar 08 17:36:38 2017 +0200 @@ -58,6 +58,14 @@ }; +static ngx_conf_enum_t ngx_stream_ssl_crl_check_mode[] = { + { ngx_string("none"), NGX_SSL_CRL_CHECK_NONE }, + { ngx_string("chain"), NGX_SSL_CRL_CHECK_CHAIN }, + { ngx_string("leaf"), NGX_SSL_CRL_CHECK_LEAF }, + { ngx_null_string, 0 } +}; + + static ngx_command_t ngx_stream_ssl_commands[] = { { ngx_string("ssl_handshake_timeout"), @@ -186,6 +194,13 @@ offsetof(ngx_stream_ssl_conf_t, crl), NULL }, + { ngx_string("ssl_crl_check_mode"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_ssl_conf_t, crl_check_mode), + &ngx_stream_ssl_crl_check_mode }, + ngx_null_command }; @@ -519,6 +534,7 @@ scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; scf->session_ticket_keys = NGX_CONF_UNSET_PTR; + scf->crl_check_mode = NGX_CONF_UNSET_UINT; return scf; } @@ -561,6 +577,8 @@ ngx_conf_merge_str_value(conf->trusted_certificate, prev->trusted_certificate, ""); ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_uint_value(conf->crl_check_mode, prev->crl_check_mode, + NGX_SSL_CRL_CHECK_CHAIN); ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -635,7 +653,9 @@ return NGX_CONF_ERROR; } - if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl, conf->crl_check_mode) + != NGX_OK) + { return NGX_CONF_ERROR; } } diff -r d45072375572 -r 9c13ae0d54a7 src/stream/ngx_stream_ssl_module.h --- a/src/stream/ngx_stream_ssl_module.h Tue Mar 07 18:51:17 2017 +0300 +++ b/src/stream/ngx_stream_ssl_module.h Wed Mar 08 17:36:38 2017 +0200 @@ -38,6 +38,7 @@ ngx_str_t client_certificate; ngx_str_t trusted_certificate; ngx_str_t crl; + ngx_uint_t crl_check_mode; ngx_str_t ciphers; _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
