CERBERUS/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-13 09:36:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Stream: fixed client certificate validation with OCSP.

Browse source 
Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.
This commit is contained in:
Sergey Kandaurov 2026-03-17 19:20:03 +04:00 committed by Roman Arutyunyan
parent 9bc13718fe
commit 18711f7754
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/stream/ngx_stream_ssl_module.c
View file

@ -437,6 +437,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
long rc; long rc;
X509 *cert; X509 *cert;
ngx_int_t rv; ngx_int_t rv;
const char *str;
ngx_connection_t *c; ngx_connection_t *c;
ngx_stream_ssl_srv_conf_t *sscf; ngx_stream_ssl_srv_conf_t *sscf;
@ -487,6 +488,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
X509_free(cert); X509_free(cert);
} }
if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: %s", str);
ngx_ssl_remove_cached_session(c->ssl->session_ctx,
(SSL_get0_session(c->ssl->connection)));
return NGX_ERROR;
}
} }
return NGX_OK; return NGX_OK;