<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">This has been discussed in detail previously:</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">

<a href="http://trac.nginx.org/nginx/ticket/13" target="_blank">http://trac.nginx.org/nginx/ticket/13</a><br></div><div style="font-family:arial,sans-serif;font-size:13px"><a href="http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html" target="_blank">http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html</a><br>

</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I have created a patch that I'm using locally and would like to contribute but am a first-time contributor so looking for advice.</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">The way I've implemented it supports two (mutually exclusive) new directives on a location. e.g. </div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>location / {</div><div>    proxy_ssl_peer_certificate_path "/tmp/sslcerts";</div>
<div>
    #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";</div><div>    proxy_pass ....</div><div>}</div></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">

These are passed through to <span style="font-size:medium;font-family:'Times New Roman'">SSL_CTX_load_verify_locations </span>(<a href="http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html" target="_blank">http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html</a>)</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">The main advice I'm looking for:</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px">1) Is this implemented in a way that is useful for others?</div><div style="font-family:arial,sans-serif;font-size:13px">2) Should I be writing tests/test driving? If so, how?</div>

<div style="font-family:arial,sans-serif;font-size:13px">3) Anything in the patch (below) that needs to be changed (implementation or style)?</div><div style="font-family:arial,sans-serif;font-size:13px">4) How best to submit the patch (I've currently made it against 1.4.2 and just created a patch file, not currently a Mercurial user but can check-out if necessary)?</div>

<div style="font-family:arial,sans-serif;font-size:13px"> </div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thx,</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px">P.</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.c src/event/ngx_event_openssl.c</div>

<div>--- ../nginx-1.4.2/src/event/ngx_event_openssl.c<span style="white-space:pre-wrap">  </span>2013-07-17 13:51:21.000000000 +0100</div><div>+++ src/event/ngx_event_openssl.c<span style="white-space:pre-wrap">     </span>2013-08-28 08:21:26.062300918 +0100</div>

<div>@@ -228,6 +228,30 @@</div><div> </div><div>     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);</div><div> </div><div>+<span style="white-space:pre-wrap">    </span>if (ssl->ca_certificate_file.len > 0) {</div>

<div>+<span style="white-space:pre-wrap">         </span>SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);</div><div>+<span style="white-space:pre-wrap">         </span>if (SSL_CTX_load_verify_locations(ssl->ctx, (const char *)</div>

<div>+<span style="white-space:pre-wrap">         </span>                                  ssl->ca_certificate_file.data, NULL </div><div>+<span style="white-space:pre-wrap">               </span>                                  ) == 0){</div>

<div>+    <span style="white-space:pre-wrap">             </span>ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,</div><div>+                      "SSL_CTX_load_verify_locations(ctx, \"%s\", NULL) failed", </div><div>

+                      (const char *)ssl->ca_certificate_file.data);</div><div>+    <span style="white-space:pre-wrap">          </span>return NGX_ERROR;</div><div>+<span style="white-space:pre-wrap">               </span>}</div><div>+    }</div>

<div>+<span style="white-space:pre-wrap"> </span></div><div>+    if (ssl->ca_certificate_path.len > 0) {</div><div>+<span style="white-space:pre-wrap">               </span>SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);</div>

<div>+<span style="white-space:pre-wrap">         </span>if (SSL_CTX_load_verify_locations(ssl->ctx, NULL, </div><div>+<span style="white-space:pre-wrap">           </span>                                  (const char *)</div><div>+<span style="white-space:pre-wrap">                </span>                                  ssl->ca_certificate_path.data) == 0){</div>

<div>+    <span style="white-space:pre-wrap">             </span>ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,</div><div>+                      "SSL_CTX_load_verify_locations(ctx, NULL, \"%s\") failed", </div><div>

+                      (const char *)ssl->ca_certificate_path.data);</div><div>+    <span style="white-space:pre-wrap">          </span>return NGX_ERROR;</div><div>+<span style="white-space:pre-wrap">               </span>}</div><div>+    }</div>

<div>+</div><div>     return NGX_OK;</div><div> }</div><div> </div><div>diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.h src/event/ngx_event_openssl.h</div><div>--- ../nginx-1.4.2/src/event/ngx_event_openssl.h<span style="white-space:pre-wrap">    </span>2013-07-17 13:51:21.000000000 +0100</div>

<div>+++ src/event/ngx_event_openssl.h<span style="white-space:pre-wrap"> </span>2013-08-28 08:21:26.074300918 +0100</div><div>@@ -29,6 +29,8 @@</div><div> typedef struct {</div><div>     SSL_CTX                    *ctx;</div>

<div>     ngx_log_t                  *log;</div><div>+    ngx_str_t                   ca_certificate_file;</div><div>+    ngx_str_t                   ca_certificate_path;</div><div> } ngx_ssl_t;</div><div> </div><div> </div>

<div>diff -uNr ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c src/http/modules/ngx_http_proxy_module.c</div><div>--- ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c<span style="white-space:pre-wrap">      </span>2013-07-17 13:51:22.000000000 +0100</div>

<div>+++ src/http/modules/ngx_http_proxy_module.c<span style="white-space:pre-wrap">      </span>2013-08-28 08:21:26.074300918 +0100</div><div>@@ -511,6 +511,20 @@</div><div>       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),</div>

<div>       NULL },</div><div> </div><div>+     { ngx_string("proxy_ssl_peer_certificate_file"),</div><div>+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,</div><div>+      ngx_conf_set_str_slot,</div>

<div>+      NGX_HTTP_LOC_CONF_OFFSET,</div><div>+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_file),</div><div>+      NULL },</div><div>+ </div><div>+    { ngx_string("proxy_ssl_peer_certificate_path"),</div>

<div>+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,</div><div>+      ngx_conf_set_str_slot,</div><div>+      NGX_HTTP_LOC_CONF_OFFSET,</div><div>+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_path),</div>

<div>+      NULL },</div><div>+</div><div> #endif</div><div> </div><div>       ngx_null_command</div><div>@@ -3742,6 +3756,11 @@</div><div> </div><div>     plcf->upstream.ssl->log = cf->log;</div><div> </div><div>

+    plcf->upstream.ssl->ca_certificate_file = </div><div>+<span style="white-space:pre-wrap">                </span>plcf->upstream.ssl_certificate_file;</div><div>+    plcf->upstream.ssl->ca_certificate_path = </div><div>

+<span style="white-space:pre-wrap">            </span>plcf->upstream.ssl_certificate_path;</div><div>+</div><div>     if (ngx_ssl_create(plcf->upstream.ssl,</div><div>                        NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1</div>

<div>                                     |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,</div><div>diff -uNr ../nginx-1.4.2/src/http/ngx_http_upstream.h src/http/ngx_http_upstream.h</div><div>--- ../nginx-1.4.2/src/http/ngx_http_upstream.h<span style="white-space:pre-wrap">     </span>2013-07-17 13:51:22.000000000 +0100</div>

<div>+++ src/http/ngx_http_upstream.h<span style="white-space:pre-wrap">  </span>2013-08-28 08:21:26.090300917 +0100</div><div>@@ -191,6 +191,8 @@</div><div> #if (NGX_HTTP_SSL)</div><div>     ngx_ssl_t                       *ssl;</div>

<div>     ngx_flag_t                       ssl_session_reuse;</div><div>+<span style="white-space:pre-wrap">  </span>ngx_str_t                        ssl_certificate_file;</div><div>+<span style="white-space:pre-wrap">  </span>ngx_str_t                        ssl_certificate_path;</div>

<div> #endif</div><div> </div><div>     ngx_str_t                        module;</div></div></div>