[PATCH] Make ssl upstream server name check configurable

Fri Oct 13 10:14:00 UTC 2017

# HG changeset patch
# User Zhihua Cao <czhihua at vmware.com>
# Date 1507889088 25200
#      Fri Oct 13 03:04:48 2017 -0700
# Node ID d3ea6fe7edb19f55896ec1b77f76d23b7fb598a4
# Parent  648b1cca8f50d83eea02a6cc2c105ae95a3f3d72
Make ssl upstream server name check configurable

Now when nginx always check common name in upstream's certificate with
upstream.ssl_name. But they are not always same, it check fails, ssl
handshake will fail. If proxy_ssl_server_name_check is off, turn off
the check.

diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/modules/ngx_http_proxy_module.c

--- a/src/http/modules/ngx_http_proxy_module.c	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c	Fri Oct 13 03:04:48 2017 -0700
@@ -673,6 +673,13 @@
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
       NULL },
 
+    { ngx_string("proxy_ssl_server_name_check"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name_check),
+      NULL },
+ 
     { ngx_string("proxy_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -2906,6 +2913,7 @@
     conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
     conf->upstream.ssl_server_name = NGX_CONF_UNSET;
     conf->upstream.ssl_verify = NGX_CONF_UNSET;
+    conf->upstream.ssl_server_name_check = NGX_CONF_UNSET;
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
     conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 #endif
@@ -3237,6 +3245,8 @@
                               prev->upstream.ssl_server_name, 0);
     ngx_conf_merge_value(conf->upstream.ssl_verify,
                               prev->upstream.ssl_verify, 0);
+    ngx_conf_merge_value(conf->upstream.ssl_server_name_check,
+                              prev->upstream.ssl_server_name_check, 1);
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
                               prev->ssl_verify_depth, 1);
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.c	Fri Oct 13 03:04:48 2017 -0700
@@ -1733,7 +1733,8 @@
                 goto failed;
             }
 
-            if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
+            if (u->conf->ssl_server_name_check
+                && ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
                 ngx_log_error(NGX_LOG_ERR, c->log, 0,
                               "upstream SSL certificate does not match \"%V\"",
                               &u->ssl_name);
diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/ngx_http_upstream.h
--- a/src/http/ngx_http_upstream.h	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.h	Fri Oct 13 03:04:48 2017 -0700
@@ -229,6 +229,7 @@
     ngx_http_complex_value_t        *ssl_name;
     ngx_flag_t                       ssl_server_name;
     ngx_flag_t                       ssl_verify;
+    ngx_flag_t                       ssl_server_name_check;
 #endif
 
     ngx_str_t                        module;
