Mercurial > hg > nginx
diff src/mail/ngx_mail_auth_http_module.c @ 9324:03cdd806c0f2
SSL: added SHA-256 fingerprints.
In http and stream modules, the $ssl_client_fingerprint_sha256 variable
now provides client certificate SHA-256 fingerprint, in addition to the
$ssl_client_fingerprint variable with SHA-1 fingerprint.
In mail proxy, the "Auth-SSL-Fingerprint-SHA256" header was added.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 31 Aug 2024 00:30:42 +0300 |
parents | 4538c1ffb0f8 |
children |
line wrap: on
line diff
--- a/src/mail/ngx_mail_auth_http_module.c Sat Aug 31 00:30:39 2024 +0300 +++ b/src/mail/ngx_mail_auth_http_module.c Sat Aug 31 00:30:42 2024 +0300 @@ -1213,7 +1213,8 @@ ngx_connection_t *c; #if (NGX_MAIL_SSL) ngx_str_t protocol, cipher, verify, subject, issuer, - serial, fingerprint, raw_cert, cert; + serial, fingerprint, fingerprint2, raw_cert, + cert; ngx_mail_ssl_conf_t *sslcf; #endif ngx_mail_core_srv_conf_t *cscf; @@ -1275,6 +1276,10 @@ return NULL; } + if (ngx_ssl_get_fingerprint_sha256(c, pool, &fingerprint2) != NGX_OK) { + return NULL; + } + if (ahcf->pass_client_cert) { /* certificate itself, if configured */ @@ -1297,6 +1302,7 @@ ngx_str_null(&issuer); ngx_str_null(&serial); ngx_str_null(&fingerprint); + ngx_str_null(&fingerprint2); ngx_str_null(&cert); } @@ -1360,6 +1366,8 @@ + sizeof(CRLF) - 1 + sizeof("Auth-SSL-Fingerprint: ") - 1 + fingerprint.len + sizeof(CRLF) - 1 + + sizeof("Auth-SSL-Fingerprint-SHA256: ") - 1 + fingerprint2.len + + sizeof(CRLF) - 1 + sizeof("Auth-SSL-Cert: ") - 1 + cert.len + sizeof(CRLF) - 1; } @@ -1520,6 +1528,13 @@ *b->last++ = CR; *b->last++ = LF; } + if (fingerprint2.len) { + b->last = ngx_cpymem(b->last, "Auth-SSL-Fingerprint-SHA256: ", + sizeof("Auth-SSL-Fingerprint-SHA256: ") - 1); + b->last = ngx_copy(b->last, fingerprint2.data, fingerprint2.len); + *b->last++ = CR; *b->last++ = LF; + } + if (cert.len) { b->last = ngx_cpymem(b->last, "Auth-SSL-Cert: ", sizeof("Auth-SSL-Cert: ") - 1);