Verify Upstream SSL Certs
Phil Parker
parker.p.dev at gmail.com
Wed Aug 28 08:20:46 UTC 2013
This has been discussed in detail previously:
http://trac.nginx.org/nginx/ticket/13
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
I have created a patch that I'm using locally and would like to contribute
but am a first-time contributor so looking for advice.
The way I've implemented it supports two (mutually exclusive) new
directives on a location. e.g.
location / {
proxy_ssl_peer_certificate_path "/tmp/sslcerts";
#proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
proxy_pass ....
}
These are passed through to SSL_CTX_load_verify_locations (
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)
The main advice I'm looking for:
1) Is this implemented in a way that is useful for others?
2) Should I be writing tests/test driving? If so, how?
3) Anything in the patch (below) that needs to be changed (implementation
or style)?
4) How best to submit the patch (I've currently made it against 1.4.2 and
just created a patch file, not currently a Mercurial user but can check-out
if necessary)?
Thx,
P.
diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.c
src/event/ngx_event_openssl.c
--- ../nginx-1.4.2/src/event/ngx_event_openssl.c 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.c 2013-08-28 08:21:26.062300918 +0100
@@ -228,6 +228,30 @@
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+ if (ssl->ca_certificate_file.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, (const char *)
+ ssl->ca_certificate_file.data, NULL
+ ) == 0){
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_load_verify_locations(ctx, \"%s\", NULL)
failed",
+ (const char *)ssl->ca_certificate_file.data);
+ return NGX_ERROR;
+ }
+ }
+
+ if (ssl->ca_certificate_path.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, NULL,
+ (const char *)
+ ssl->ca_certificate_path.data) == 0){
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_load_verify_locations(ctx, NULL, \"%s\")
failed",
+ (const char *)ssl->ca_certificate_path.data);
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.h
src/event/ngx_event_openssl.h
--- ../nginx-1.4.2/src/event/ngx_event_openssl.h 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.h 2013-08-28 08:21:26.074300918 +0100
@@ -29,6 +29,8 @@
typedef struct {
SSL_CTX *ctx;
ngx_log_t *log;
+ ngx_str_t ca_certificate_file;
+ ngx_str_t ca_certificate_path;
} ngx_ssl_t;
diff -uNr ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c
src/http/modules/ngx_http_proxy_module.c
--- ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c 2013-07-17
13:51:22.000000000 +0100
+++ src/http/modules/ngx_http_proxy_module.c 2013-08-28 08:21:26.074300918
+0100
@@ -511,6 +511,20 @@
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),
NULL },
+ { ngx_string("proxy_ssl_peer_certificate_file"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_file),
+ NULL },
+
+ { ngx_string("proxy_ssl_peer_certificate_path"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_path),
+ NULL },
+
#endif
ngx_null_command
@@ -3742,6 +3756,11 @@
plcf->upstream.ssl->log = cf->log;
+ plcf->upstream.ssl->ca_certificate_file =
+ plcf->upstream.ssl_certificate_file;
+ plcf->upstream.ssl->ca_certificate_path =
+ plcf->upstream.ssl_certificate_path;
+
if (ngx_ssl_create(plcf->upstream.ssl,
NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
diff -uNr ../nginx-1.4.2/src/http/ngx_http_upstream.h
src/http/ngx_http_upstream.h
--- ../nginx-1.4.2/src/http/ngx_http_upstream.h 2013-07-17
13:51:22.000000000 +0100
+++ src/http/ngx_http_upstream.h 2013-08-28 08:21:26.090300917 +0100
@@ -191,6 +191,8 @@
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl;
ngx_flag_t ssl_session_reuse;
+ ngx_str_t ssl_certificate_file;
+ ngx_str_t ssl_certificate_path;
#endif
ngx_str_t module;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130828/84a17391/attachment.html>
More information about the nginx-devel
mailing list