roles/nginx/main: Add OCSP patch

2 files changed, 74 insertions, 0 deletions

diff --git a/roles/nginx/files/enable_boringssl_ocsp.patch b/roles/nginx/files/enable_boringssl_ocsp.patch
new file mode 100644
index 0000000..c5f9dee
--- /dev/null
+++ b/roles/nginx/files/enable_boringssl_ocsp.patch
@@ -0,0 +1,64 @@
+From 4be7f3188f18c64ef3de6cc35331220195de2b94 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E6=9D=8E=E9=80=9A=E6=B4=B2?= <carter.li@eoitek.com>
+Date: Sat, 19 May 2018 22:08:47 +0800
+Subject: [PATCH] Support OSCP stapling on BoringSSL
+
+---
+ src/event/ngx_event_openssl_stapling.c | 42 ++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
+index 0bea5e7..334f1c2 100644
+--- a/src/event/ngx_event_openssl_stapling.c
++++ b/src/event/ngx_event_openssl_stapling.c
+@@ -1874,8 +1874,50 @@ ngx_int_t
+ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+     ngx_str_t *responder, ngx_uint_t verify)
+ {
++#ifdef BORINGSSL_MAKE_DELETER
++    ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
++                  "using boringssl, currently only \"ssl_stapling_file\" is supported. use it as your own risk");
++
++    BIO            *bio;
++    int             len;
++    u_char          buf[1024];
++
++    if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
++        return NGX_ERROR;
++    }
++
++    bio = BIO_new_file((char *) file->data, "r");
++    if (bio == NULL) {
++        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                      "BIO_new_file(\"%s\") failed", file->data);
++        return NGX_ERROR;
++    }
++
++    len = BIO_read(bio, buf, sizeof(buf) / sizeof(u_char));
++    BIO_free(bio);
++    bio = NULL;
++
++    if (len <= 0) {
++        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                      "Read OCSP response file \"%s\" failed: %d", file->data, len);
++        return NGX_ERROR;
++    }
++
++    if (len >= 1000) {
++        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                      "Unexpected OCSP response file length: %d", len);
++        return NGX_ERROR;
++    }
++
++    if (!SSL_CTX_set_ocsp_response(ssl->ctx, buf, len)) {
++        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                      "SSL_CTX_set_ocsp_response(ssl->ctx, buf, %d) failed", len);
++        return NGX_ERROR;
++    }
++#else
+     ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
+                   "\"ssl_stapling\" ignored, not supported");
++#endif
+ 
+     return NGX_OK;
+ }
diff --git a/roles/nginx/main.yml b/roles/nginx/main.yml
index 7725c19..a55912a 100644
--- a/roles/nginx/main.yml
+++ b/roles/nginx/main.yml
@@ -120,6 +120,15 @@
        chdir: /opt/nginx
        creates: .nginx-{{ nginx_version }}-verified
 
+    - name: Copying patches
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      with_items:
+        -
+          src: enable_boringssl_ocsp.patch
+          dest: /opt/nginx
+
     - name: Extracting application source
       unarchive:
         src: /opt/nginx/nginx-{{ nginx_version}}.tar.gz
@@ -182,6 +191,7 @@
         --with-cc-opt=-Wno-error
         --with-debug"
         && patch -p01 < ../quiche/extras/nginx/nginx-1.16.patch
+        && patch -p01 < ../enable_boringssl_ocsp.patch
         && ./configure $CONFIG
         && make -j$(getconf _NPROCESSORS_ONLN)
       args: