diff options
| author | Thedro Neely <thedroneely@gmail.com> | 2020-01-29 20:36:03 -0500 |
|---|---|---|
| committer | Thedro Neely <thedroneely@gmail.com> | 2020-01-29 20:36:03 -0500 |
| commit | 37f13e94b3de9440f8cf9567afb93f0aed09376f (patch) | |
| tree | a58b8a24ec1d6e73e946566811d9631b9443e6e8 /roles/nginx/files | |
| parent | 52de8730f14f35a439ec26257f79d45ed6e8cce4 (diff) | |
| download | playbooks-37f13e94b3de9440f8cf9567afb93f0aed09376f.tar.gz playbooks-37f13e94b3de9440f8cf9567afb93f0aed09376f.tar.bz2 playbooks-37f13e94b3de9440f8cf9567afb93f0aed09376f.zip | |
roles/nginx/main: Add OCSP patch
Diffstat (limited to 'roles/nginx/files')
| -rw-r--r-- | roles/nginx/files/enable_boringssl_ocsp.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/roles/nginx/files/enable_boringssl_ocsp.patch b/roles/nginx/files/enable_boringssl_ocsp.patch new file mode 100644 index 0000000..c5f9dee --- /dev/null +++ b/roles/nginx/files/enable_boringssl_ocsp.patch @@ -0,0 +1,64 @@ +From 4be7f3188f18c64ef3de6cc35331220195de2b94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E6=9D=8E=E9=80=9A=E6=B4=B2?= <carter.li@eoitek.com> +Date: Sat, 19 May 2018 22:08:47 +0800 +Subject: [PATCH] Support OSCP stapling on BoringSSL + +--- + src/event/ngx_event_openssl_stapling.c | 42 ++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 0bea5e7..334f1c2 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -1874,8 +1874,50 @@ ngx_int_t + ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + ngx_str_t *responder, ngx_uint_t verify) + { ++#ifdef BORINGSSL_MAKE_DELETER ++ ngx_log_error(NGX_LOG_WARN, ssl->log, 0, ++ "using boringssl, currently only \"ssl_stapling_file\" is supported. use it as your own risk"); ++ ++ BIO *bio; ++ int len; ++ u_char buf[1024]; ++ ++ if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ bio = BIO_new_file((char *) file->data, "r"); ++ if (bio == NULL) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "BIO_new_file(\"%s\") failed", file->data); ++ return NGX_ERROR; ++ } ++ ++ len = BIO_read(bio, buf, sizeof(buf) / sizeof(u_char)); ++ BIO_free(bio); ++ bio = NULL; ++ ++ if (len <= 0) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "Read OCSP response file \"%s\" failed: %d", file->data, len); ++ return NGX_ERROR; ++ } ++ ++ if (len >= 1000) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "Unexpected OCSP response file length: %d", len); ++ return NGX_ERROR; ++ } ++ ++ if (!SSL_CTX_set_ocsp_response(ssl->ctx, buf, len)) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "SSL_CTX_set_ocsp_response(ssl->ctx, buf, %d) failed", len); ++ return NGX_ERROR; ++ } ++#else + ngx_log_error(NGX_LOG_WARN, ssl->log, 0, + "\"ssl_stapling\" ignored, not supported"); ++#endif + + return NGX_OK; + } |