summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_conf_validation.c
diff options
context:
space:
mode:
authorAndrey Suvorov <a.suvorov@f5.com>2021-03-24 13:19:36 -0700
committerAndrey Suvorov <a.suvorov@f5.com>2021-03-24 13:19:36 -0700
commitd2b0882d89f29fea84b457e0709b6980c8a30a57 (patch)
tree5bf41ab489a5866cfcb28ea35d36623110079d53 /src/nxt_conf_validation.c
parentd62192738f2db9e22e1357daa7b7dccdce3c783f (diff)
downloadunit-d2b0882d89f29fea84b457e0709b6980c8a30a57.tar.gz
unit-d2b0882d89f29fea84b457e0709b6980c8a30a57.tar.bz2
Added ability to configure multiple certificates on a listener.
The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the name, the first bundle in the array is chosen.
Diffstat (limited to '')
-rw-r--r--src/nxt_conf_validation.c29
1 files changed, 28 insertions, 1 deletions
diff --git a/src/nxt_conf_validation.c b/src/nxt_conf_validation.c
index 0e6fc135..8c5d1ec7 100644
--- a/src/nxt_conf_validation.c
+++ b/src/nxt_conf_validation.c
@@ -87,6 +87,8 @@ static nxt_int_t nxt_conf_vldt_listener(nxt_conf_validation_t *vldt,
#if (NXT_TLS)
static nxt_int_t nxt_conf_vldt_certificate(nxt_conf_validation_t *vldt,
nxt_conf_value_t *value, void *data);
+static nxt_int_t nxt_conf_vldt_certificate_element(nxt_conf_validation_t *vldt,
+ nxt_conf_value_t *value);
#endif
static nxt_int_t nxt_conf_vldt_action(nxt_conf_validation_t *vldt,
nxt_conf_value_t *value, void *data);
@@ -354,7 +356,7 @@ static nxt_conf_vldt_object_t nxt_conf_vldt_listener_members[] = {
static nxt_conf_vldt_object_t nxt_conf_vldt_tls_members[] = {
{
.name = nxt_string("certificate"),
- .type = NXT_CONF_VLDT_STRING,
+ .type = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
.validator = nxt_conf_vldt_certificate,
},
@@ -1827,9 +1829,34 @@ static nxt_int_t
nxt_conf_vldt_certificate(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
void *data)
{
+ if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
+ if (nxt_conf_array_elements_count(value) == 0) {
+ return nxt_conf_vldt_error(vldt, "The \"certificate\" array "
+ "must contain at least one element.");
+ }
+
+ return nxt_conf_vldt_array_iterator(vldt, value,
+ &nxt_conf_vldt_certificate_element);
+ }
+
+ /* NXT_CONF_STRING */
+
+ return nxt_conf_vldt_certificate_element(vldt, value);
+}
+
+
+static nxt_int_t
+nxt_conf_vldt_certificate_element(nxt_conf_validation_t *vldt,
+ nxt_conf_value_t *value)
+{
nxt_str_t name;
nxt_conf_value_t *cert;
+ if (nxt_conf_type(value) != NXT_CONF_STRING) {
+ return nxt_conf_vldt_error(vldt, "The \"certificate\" array must "
+ "contain only string values.");
+ }
+
nxt_conf_get_string(value, &name);
cert = nxt_cert_info_get(&name);