原创文章,转载请指明出处并保留原文url地址
本文主要针对nginx的ngx_http_ssl_module模块做简单介绍,本文具体包括如下指令:ssl_session_timeout,ssl_stapling,ssl_stapling_file,ssl_stapling_responder,ssl_stapling_verify,ssl_trusted_certificate,ssl_verify_client,ssl_verify_depth
11. ssl_session_timeout
| syntax: | ssl_session_timeout time; |
| default: | ssl_session_timeout 5m; |
| context: | http, server |
指定客户可以利用存储在缓存会话参数的时间
Nginx原文:
Specifies a time during which a client may reuse the session parameters stored in a cache.
12. ssl_stapling
| syntax: | ssl_stapling on | off; |
| default: | ssl_stapling off; |
| context: | http, server |
This directive appeared in version 1.3.7.
启用或禁用吻合器的OCSP响应的服务器。的例子:
启用或者禁用stapling of OCSP功能(http://en.wikipedia.org/wiki/OCSP_stapling
,OCSP(Online Certificate Status Protocol,在线证书状态协议)是维护服务器和其它网络资源安全性的两种普遍模式之一。OCSP克服了证书注销列表(CRL)的主要缺陷:必须经常 在客户端下载以确保列表的更新。当用户试图访问一个服务器时,在线证书状态协议发送一个对于证书状态信息的请求。服务器回复一个“有效”、“过期”或“未 知”的响应。协议规定了服务器和客户端应用程序的通讯语法。在线证书状态协议给了用户的到期的证书一个宽限期,这样他们就可以在更新以前的一段时间内继续 访问服务器)在这个server上, 例如:
ssl_stapling on;
resolver 192.0.2.1;
若要OCSP stapling功能正常工作, 需要知道这个server证书的颁发者的证书。如果ssl_certificate文件不包含中级证书,该证书服务器证书的颁发者应在ssl_trusted_certificate文件。
解析指令也应指定允许的OCSP响应器的主机名解析。
Nginx原文:
Enables or disables stapling of OCSP responses by the server. Example:
ssl_stapling on;
resolver 192.0.2.1;
For the OCSP stapling to work, the certificate of the issuer of the server certificate should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the issuer of the server certificate should be present in the ssl_trusted_certificate file.
The resolver directive should also be specified to allow for a resolution of an OCSP responder hostname.
13. ssl_stapling_file
| syntax: | ssl_stapling_file file; |
| default: | — |
| context: | http, server |
This directive appeared in version 1.3.7.
当设置设置了这个文件,stapled OCSP相应将发送给客户端,而不是查询server的证书颁发机构去认证相关证书(OCSP方式)
文件应该是用openssl ocsp命令产生的DER格式文件。
Nginx原文:
When set, the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.
The file should be in the DER format as produced by the “openssl ocsp” command.
14. ssl_stapling_responder
| syntax: | ssl_stapling_responder url; |
| default: | — |
| context: | http, server |
This directive appeared in version 1.3.7.
覆盖OCSP相应中“Authority Information Access”的url。
仅仅以“http://”开始的OCSP相应被支持
ssl_stapling_responder http://ocsp.example.com/;
Nginx原文:
Overrides the URL of OCSP responder specified in the “Authority Information Access” certificate extension.
Only “http://” OCSP responders are supported:
ssl_stapling_responder http://ocsp.example.com/;
15. ssl_stapling_verify
| syntax: | ssl_stapling_verify on | off; |
| default: | ssl_stapling_verify off; |
| context: | http, server |
This directive appeared in version 1.3.7.
启用或禁用OCSP响应验证服务器。
为了进行校验工作, 这个服务器证书,根证书,全部的中间证书都应该被ssl_trusted_certificate指令配置成可信任状态
Nginx原文:
Enables or disables verification of OCSP responses by the server.
For verification to work, the certificate of the issuer of the server certificate, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
16. ssl_trusted_certificate
| syntax: | ssl_trusted_certificate file; |
| default: | — |
| context: | http, server |
This directive appeared in version 1.3.7.
指定一个PEM格式的文件存储信任的CA证书,这个证书用来验证客户端证书和OCSP相应在ssl_stapling使能的情况下。
相反ssl_client_certificate,这些证书列表将不会被发送到客户
Nginx原文:
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
In contrast to ssl_client_certificate, the list of these certificates will not be sent to clients.
17. ssl_verify_client
| syntax: | ssl_verify_client on | off | optional | optional_no_ca; |
| default: | ssl_verify_client off; |
| context: | http, server |
开启验证客户端证书的功能, 验证的结果存储在$ssl_client_verify变量中。
可选的参数(0.8.7 +)要求客户端证书, 如果有客户端证书则验证他。
该optional_no_ca参数(1.3.8,1.2.5)要求客户端证书,但不需要它是一个可信的CA签署的证书。这种情况,实际验证证书的服务是在nginx外进行。证书的内容是通过$ssl_client_cert存储
Nginx原文:
该optional_no_ca参数(1.3.8,1.2.5)
Enables verification of client certificates. The result of verification is stored in the $ssl_client_verify variable.
The optional parameter (0.8.7+) requests the client certificate, and if certificate was present, verifies it.
The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases where actual certificate verification is performed by a service that is external to nginx. The contents of a certificate is made available through the $ssl_client_cert variable.
18. ssl_verify_depth
| syntax: | ssl_verify_depth number; |
| default: | ssl_verify_depth 1; |
| context: | http, server |
设置一个客户端证书链的验证深度
Nginx原文:
Sets a verification depth in the client certificates chain.
错误处理
ngx_http_ssl_module模块支持若干非标准的错误代码, 用于error_page指令的从定向操作。
495
在客户端验证证书时发生了一个错误;
496
客户没有提供要求的证书;
497
一个普通的请求被发送到HTTPS端口。
请求被完全解析后,$request_uri, $uri, $args变量等都可用后,一个从定向发生
内嵌变量
这个ngx_http_ssl_module模块支持若干个内嵌变量
$ssl_cipher
返回用于建立SSL连接密码字符串;
$ssl_client_cert
返回一个用于建立SSL连接的PEM格式客户端证书,除第一前缀标签字符线;这是用于在proxy_set_header指令的使用;
$ssl_client_raw_cert
返回一个用于建立SSL连接的客户端的PEM格式证书。
$ssl_client_serial
返回一个建立SSL连接的客户端证书编号;
$ssl_client_s_dn
返回“主体DN”为建立SSL连接的客户端证书的字符串;
$ssl_client_i_dn
返回“签发DN”为建立SSL连接的客户端证书的字符串;
$ssl_client_verify
返回客户端证书验证结果:“成功”,“失败”,和“无”如果证书是不存在的;
$ssl_protocol
返回一个建立SSL连接的协议;
$ssl_session_id
返回一个建立SSL连接的会话标识符。
Error Processing
The ngx_http_ssl_module module supports several non-standard error codes that can be used for redirects using the error_page directive:
495
an error has occurred during the client certificate verification;
496
a client did not present the required certificate;
497
a regular request was sent to the HTTPS port.
A redirection happens after the request was fully parsed and variables such as $request_uri, $uri, $args and others were made available.
Embedded Variables
The ngx_http_ssl_module module supports several embedded variables:
$ssl_cipher
returns the string of ciphers used for an established SSL connection;
$ssl_client_cert
returns the client certificate in the PEM format for an established SSL connection, with each line except the first prepended with the tab character; this is intended for the use in the proxy_set_header directive;
$ssl_client_raw_cert
returns the client certificate in the PEM format for an established SSL connection;
$ssl_client_serial
returns the serial number of the client certificate for an established SSL connection;
$ssl_client_s_dn
returns the “subject DN” string of the client certificate for an established SSL connection;
$ssl_client_i_dn
returns the “issuer DN” string of the client certificate for an established SSL connection;
$ssl_client_verify
returns the result of client certificate verification: “SUCCESS”, “FAILED”, and “NONE” if a certificate was not present;
$ssl_protocol
returns the protocol of an established SSL connection;
$ssl_session_id
returns the session identifier of an established SSL connection.
