Verify Upstream SSL Certs

Maxim Dounin mdounin at
Wed Aug 28 08:54:03 UTC 2013


On Wed, Aug 28, 2013 at 09:20:46AM +0100, Phil Parker wrote:

> This has been discussed in detail previously:
> I have created a patch that I'm using locally and would like to contribute
> but am a first-time contributor so looking for advice.

Given the fact that Aviram Cohen's patch for the same ticket is 
already in the review process, I would suggest you to join 
review/testing instead.

See this thread for details:

> The way I've implemented it supports two (mutually exclusive) new
> directives on a location. e.g.
> location / {
>     proxy_ssl_peer_certificate_path "/tmp/sslcerts";
>     #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
>     proxy_pass ....
> }
> These are passed through to SSL_CTX_load_verify_locations (

Just a side note: we don't provide "_path" variants for other 
certificate verification directives, so it's unlikely it will be 
accepted for a proxy peer verification.

> The main advice I'm looking for:
> 1) Is this implemented in a way that is useful for others?
> 2) Should I be writing tests/test driving? If so, how?

Writing tests may make sense (though not required), test suite is 
available at

> 3) Anything in the patch (below) that needs to be changed (implementation
> or style)?
> 4) How best to submit the patch (I've currently made it against 1.4.2 and
> just created a patch file, not currently a Mercurial user but can check-out
> if necessary)?

Basic recommendations can be found here:


Maxim Dounin

More information about the nginx-devel mailing list