[PATCH] SSL: fix order of checks during SSL certificate verification
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 5 14:16:03 UTC 2016
Hello!
On Sat, Sep 03, 2016 at 03:27:35PM -0700, Piotr Sikora wrote:
> Hey Maxim,
>
> > No, your are incorrect here. "In connection with" means that
> > SSL_get_peer_certificate() should be used, but doesn't require it
> > to be used always, in all cases. In particular,
> > SSL_get_peer_certificate() is useless when SSL_get_verify_result()
> > returns anything but X509_V_OK.
>
> Sigh, why do you insist on checking status of verification of client
> certificate that wasn't sent in the first place?
It's not me who insist on anything. It's you who insist that the
current code is wrong. It's not.
> > Because ngx_ssl_verify_host() is expected to be a generic
> > function, and it can be used in situations different from talking
> > to upstream servers.
>
> Like what, exactly?
For example, it can be used to verify a host of auth_http server
in mail, or OCSP responder - if we'll implement SSL there.
> Also, for the record, are you fine with "client" in
> ngx_ssl_verify_client() or is that also expected to be generic
> function?
Yes, more or less. I'm not fine with the ngx_ssl_verify_client()
implementation as suggested in patches I've seen so far, as it
seems too biased to the current use of client verification in http
module, but it's a different question.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list