Verify Upstream SSL Certs

Phil Parker parker.p.dev at gmail.com
Wed Aug 28 08:20:46 UTC 2013 

This has been discussed in detail previously:

http://trac.nginx.org/nginx/ticket/13
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html

I have created a patch that I'm using locally and would like to contribute
but am a first-time contributor so looking for advice.

The way I've implemented it supports two (mutually exclusive) new
directives on a location. e.g.

location / {
    proxy_ssl_peer_certificate_path "/tmp/sslcerts";
    #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
    proxy_pass ....
}

These are passed through to SSL_CTX_load_verify_locations (
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)

The main advice I'm looking for:

1) Is this implemented in a way that is useful for others?
2) Should I be writing tests/test driving? If so, how?
3) Anything in the patch (below) that needs to be changed (implementation
or style)?
4) How best to submit the patch (I've currently made it against 1.4.2 and
just created a patch file, not currently a Mercurial user but can check-out
if necessary)?


Thx,

P.

diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.c
src/event/ngx_event_openssl.c
--- ../nginx-1.4.2/src/event/ngx_event_openssl.c 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.c 2013-08-28 08:21:26.062300918 +0100
@@ -228,6 +228,30 @@

     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);

+ if (ssl->ca_certificate_file.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, (const char *)
+                                   ssl->ca_certificate_file.data, NULL
+                                   ) == 0){
+     ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+                      "SSL_CTX_load_verify_locations(ctx, \"%s\", NULL)
failed",
+                      (const char *)ssl->ca_certificate_file.data);
+     return NGX_ERROR;
+ }
+    }
+
+    if (ssl->ca_certificate_path.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, NULL,
+                                   (const char *)
+                                   ssl->ca_certificate_path.data) == 0){
+     ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+                      "SSL_CTX_load_verify_locations(ctx, NULL, \"%s\")
failed",
+                      (const char *)ssl->ca_certificate_path.data);
+     return NGX_ERROR;
+ }
+    }
+
     return NGX_OK;
 }

diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.h
src/event/ngx_event_openssl.h
--- ../nginx-1.4.2/src/event/ngx_event_openssl.h 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.h 2013-08-28 08:21:26.074300918 +0100
@@ -29,6 +29,8 @@
 typedef struct {
     SSL_CTX                    *ctx;
     ngx_log_t                  *log;
+    ngx_str_t                   ca_certificate_file;
+    ngx_str_t                   ca_certificate_path;
 } ngx_ssl_t;


diff -uNr ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c
src/http/modules/ngx_http_proxy_module.c
--- ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c 2013-07-17
13:51:22.000000000 +0100
+++ src/http/modules/ngx_http_proxy_module.c 2013-08-28 08:21:26.074300918
+0100
@@ -511,6 +511,20 @@
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),
       NULL },

+     { ngx_string("proxy_ssl_peer_certificate_file"),
+
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_file),
+      NULL },
+
+    { ngx_string("proxy_ssl_peer_certificate_path"),
+
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_path),
+      NULL },
+
 #endif

       ngx_null_command
@@ -3742,6 +3756,11 @@

     plcf->upstream.ssl->log = cf->log;

+    plcf->upstream.ssl->ca_certificate_file =
+ plcf->upstream.ssl_certificate_file;
+    plcf->upstream.ssl->ca_certificate_path =
+ plcf->upstream.ssl_certificate_path;
+
     if (ngx_ssl_create(plcf->upstream.ssl,
                        NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
                                     |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
diff -uNr ../nginx-1.4.2/src/http/ngx_http_upstream.h
src/http/ngx_http_upstream.h
--- ../nginx-1.4.2/src/http/ngx_http_upstream.h 2013-07-17
13:51:22.000000000 +0100
+++ src/http/ngx_http_upstream.h 2013-08-28 08:21:26.090300917 +0100
@@ -191,6 +191,8 @@
 #if (NGX_HTTP_SSL)
     ngx_ssl_t                       *ssl;
     ngx_flag_t                       ssl_session_reuse;
+ ngx_str_t                        ssl_certificate_file;
+ ngx_str_t                        ssl_certificate_path;
 #endif

     ngx_str_t                        module;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130828/84a17391/attachment.html>

More information about the nginx-devel mailing list