[PATCH 5 of 6] SSL: add ngx_ssl_verify_host()
Piotr Sikora
piotrsikora at google.com
Thu Aug 18 00:29:26 UTC 2016
# HG changeset patch
# User Piotr Sikora <piotrsikora at google.com>
# Date 1471428995 25200
# Wed Aug 17 03:16:35 2016 -0700
# Node ID 5550dfc1414afcd5471b7fc8ca4482f7e18ba865
# Parent a9f36e1dd744130aa2ba080ae2a63f07986c8e83
SSL: add ngx_ssl_verify_host().
No functional changes.
Signed-off-by: Piotr Sikora <piotrsikora at google.com>
diff -r a9f36e1dd744 -r 5550dfc1414a src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3108,6 +3108,24 @@ ngx_ssl_verify_client(ngx_connection_t *
ngx_int_t
+ngx_ssl_verify_host(ngx_connection_t *c, ngx_str_t *name)
+{
+ long rc;
+
+ rc = SSL_get_verify_result(c->ssl->connection);
+ if (rc != X509_V_OK) {
+ return (ngx_int_t) rc;
+ }
+
+ if (ngx_ssl_check_host(c, name) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
{
X509 *cert;
diff -r a9f36e1dd744 -r 5550dfc1414a src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -190,6 +190,7 @@ ngx_int_t ngx_ssl_set_session(ngx_connec
ngx_int_t ngx_ssl_verify_client(ngx_connection_t *c, ngx_ssl_t *ssl,
ngx_uint_t verify);
+ngx_int_t ngx_ssl_verify_host(ngx_connection_t *c, ngx_str_t *name);
#define ngx_ssl_verify_error_optional(n) \
(n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \
|| n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \
diff -r a9f36e1dd744 -r 5550dfc1414a src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1565,7 +1565,7 @@ ngx_http_upstream_ssl_init_connection(ng
static void
ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
{
- long rc;
+ ngx_int_t rc;
ngx_http_request_t *r;
ngx_http_upstream_t *u;
@@ -1577,20 +1577,19 @@ ngx_http_upstream_ssl_handshake(ngx_conn
if (c->ssl->handshaked) {
if (u->conf->ssl_verify) {
- rc = SSL_get_verify_result(c->ssl->connection);
-
- if (rc != X509_V_OK) {
- ngx_log_error(NGX_LOG_ERR, c->log, 0,
- "upstream SSL certificate verify error: (%l:%s)",
- rc, X509_verify_cert_error_string(rc));
- goto failed;
- }
-
- if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
+ rc = ngx_ssl_verify_host(c, &u->ssl_name);
+
+ if (rc == NGX_ERROR) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"upstream SSL certificate does not match \"%V\"",
&u->ssl_name);
goto failed;
+
+ } else if (rc != NGX_OK) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "upstream SSL certificate verify error: (%i:%s)",
+ rc, ngx_ssl_verify_error_string(rc));
+ goto failed;
}
}
diff -r a9f36e1dd744 -r 5550dfc1414a src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -976,7 +976,7 @@ ngx_stream_proxy_ssl_init_connection(ngx
static void
ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc)
{
- long rc;
+ ngx_int_t rc;
ngx_stream_session_t *s;
ngx_stream_upstream_t *u;
ngx_stream_proxy_srv_conf_t *pscf;
@@ -988,21 +988,18 @@ ngx_stream_proxy_ssl_handshake(ngx_conne
if (pc->ssl->handshaked) {
if (pscf->ssl_verify) {
- rc = SSL_get_verify_result(pc->ssl->connection);
-
- if (rc != X509_V_OK) {
- ngx_log_error(NGX_LOG_ERR, pc->log, 0,
- "upstream SSL certificate verify error: (%l:%s)",
- rc, X509_verify_cert_error_string(rc));
- goto failed;
- }
-
- u = s->upstream;
-
- if (ngx_ssl_check_host(pc, &u->ssl_name) != NGX_OK) {
+ rc = ngx_ssl_verify_host(pc, &s->upstream->ssl_name);
+
+ if (rc == NGX_ERROR) {
ngx_log_error(NGX_LOG_ERR, pc->log, 0,
"upstream SSL certificate does not match \"%V\"",
- &u->ssl_name);
+ &s->upstream->ssl_name);
+ goto failed;
+
+ } else if (rc != NGX_OK) {
+ ngx_log_error(NGX_LOG_ERR, pc->log, 0,
+ "upstream SSL certificate verify error: (%i:%s)",
+ rc, ngx_ssl_verify_error_string(rc));
goto failed;
}
}
More information about the nginx-devel
mailing list