nghttpx: Verify OCSP response using trusted CA certificates

59c78d58 · Tatsuhiro Tsujikawa · 5833ef1e · 59c78d58 · 59c78d58
Commit 59c78d58 authored Jun 13, 2017 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 8 deletions

src/shrpx.cc src/shrpx.cc +8 -5

src/shrpx_tls.cc src/shrpx_tls.cc +18 -3

No files found.
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -2071,11 +2071,14 @@ SSL/TLS:
              Don't  verify backend  server's  certificate  if TLS  is
              enabled for backend connections.
  --cacert=<PATH>
-              Set path to trusted CA  certificate file used in backend
-              TLS connections.   The file must  be in PEM  format.  It
-              can  contain  multiple   certificates.   If  the  linked
-              OpenSSL is configured to  load system wide certificates,
-              they are loaded at startup regardless of this option.
+              Set path to trusted CA  certificate file.  It is used in
+              backend  TLS connections  to verify  peer's certificate.
+              It is also used to  verify OCSP response from the script
+              set by --fetch-ocsp-response-file.  The  file must be in
+              PEM format.   It can contain multiple  certificates.  If
+              the  linked OpenSSL  is configured  to load  system wide
+              certificates, they  are loaded at startup  regardless of
+              this option.
  --private-key-passwd-file=<PATH>
              Path  to file  that contains  password for  the server's
              private key.   If none is  given and the private  key is

--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  }

  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
+    LOG(WARN) << "Could not load system trusted ca certificates: "
+              << ERR_error_string(ERR_get_error(), nullptr);
+  }
+
+  if (!tlsconf.cacert.empty()) {
+    if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
+                                      nullptr) != 1) {
+      LOG(FATAL) << "Could not load trusted ca certificates from "
+                 << tlsconf.cacert << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
  if (!tlsconf.private_key_passwd.empty()) {
    SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
    SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@@ -1844,12 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
  }
  auto bs_deleter = defer(OCSP_BASICRESP_free, bs);

-  auto store = X509_STORE_new();
-  auto store_deleter = defer(X509_STORE_free, store);
+  auto store = SSL_CTX_get_cert_store(ssl_ctx);

  ERR_clear_error();

-  rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
+  rv = OCSP_basic_verify(bs, chain_certs, store, 0);

  if (rv != 1) {
    LOG(ERROR) << "OCSP_basic_verify failed: "