[nginx] Upstream: handling of certificates specified as an empty string.

Sergey Kandaurov pluknet at nginx.com
Tue Jun 7 16:54:17 UTC 2022 

details:   https://hg.nginx.org/nginx/rev/c7e25324be11
branches:  
changeset: 8042:c7e25324be11
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Jun 07 20:08:57 2022 +0400
description:
Upstream: handling of certificates specified as an empty string.

Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level.  This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).

diffstat:

 src/http/modules/ngx_http_grpc_module.c  |   5 +++--
 src/http/modules/ngx_http_proxy_module.c |   5 +++--
 src/http/modules/ngx_http_uwsgi_module.c |   5 +++--
 src/http/ngx_http_upstream.c             |   6 ++++--
 src/stream/ngx_stream_proxy_module.c     |  11 +++++++----
 5 files changed, 20 insertions(+), 12 deletions(-)

diffs (89 lines):

diff -r 0784ab86ad08 -r c7e25324be11 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c	Tue Jun 07 00:07:12 2022 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c	Tue Jun 07 20:08:57 2022 +0400
@@ -4906,8 +4906,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
         return NGX_ERROR;
     }
 
-    if (glcf->upstream.ssl_certificate) {
-
+    if (glcf->upstream.ssl_certificate
+        && glcf->upstream.ssl_certificate->value.len)
+    {
         if (glcf->upstream.ssl_certificate_key == NULL) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"grpc_ssl_certificate_key\" is defined "
diff -r 0784ab86ad08 -r c7e25324be11 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c	Tue Jun 07 00:07:12 2022 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c	Tue Jun 07 20:08:57 2022 +0400
@@ -4955,8 +4955,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
-    if (plcf->upstream.ssl_certificate) {
-
+    if (plcf->upstream.ssl_certificate
+        && plcf->upstream.ssl_certificate->value.len)
+    {
         if (plcf->upstream.ssl_certificate_key == NULL) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"proxy_ssl_certificate_key\" is defined "
diff -r 0784ab86ad08 -r c7e25324be11 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c	Tue Jun 07 00:07:12 2022 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c	Tue Jun 07 20:08:57 2022 +0400
@@ -2487,8 +2487,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }
 
-    if (uwcf->upstream.ssl_certificate) {
-
+    if (uwcf->upstream.ssl_certificate
+        && uwcf->upstream.ssl_certificate->value.len)
+    {
         if (uwcf->upstream.ssl_certificate_key == NULL) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"uwsgi_ssl_certificate_key\" is defined "
diff -r 0784ab86ad08 -r c7e25324be11 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c	Tue Jun 07 00:07:12 2022 +0300
+++ b/src/http/ngx_http_upstream.c	Tue Jun 07 20:08:57 2022 +0400
@@ -1690,8 +1690,10 @@ ngx_http_upstream_ssl_init_connection(ng
         }
     }
 
-    if (u->conf->ssl_certificate && (u->conf->ssl_certificate->lengths
-                                     || u->conf->ssl_certificate_key->lengths))
+    if (u->conf->ssl_certificate
+        && u->conf->ssl_certificate->value.len
+        && (u->conf->ssl_certificate->lengths
+            || u->conf->ssl_certificate_key->lengths))
     {
         if (ngx_http_upstream_ssl_certificate(r, u, c) != NGX_OK) {
             ngx_http_upstream_finalize_request(r, u,
diff -r 0784ab86ad08 -r c7e25324be11 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c	Tue Jun 07 00:07:12 2022 +0300
+++ b/src/stream/ngx_stream_proxy_module.c	Tue Jun 07 20:08:57 2022 +0400
@@ -1069,8 +1069,10 @@ ngx_stream_proxy_ssl_init_connection(ngx
         }
     }
 
-    if (pscf->ssl_certificate && (pscf->ssl_certificate->lengths
-                                  || pscf->ssl_certificate_key->lengths))
+    if (pscf->ssl_certificate
+        && pscf->ssl_certificate->value.len
+        && (pscf->ssl_certificate->lengths
+            || pscf->ssl_certificate_key->lengths))
     {
         if (ngx_stream_proxy_ssl_certificate(s) != NGX_OK) {
             ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
@@ -2225,8 +2227,9 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
         return NGX_ERROR;
     }
 
-    if (pscf->ssl_certificate) {
-
+    if (pscf->ssl_certificate
+        && pscf->ssl_certificate->value.len)
+    {
         if (pscf->ssl_certificate_key == NULL) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no \"proxy_ssl_certificate_key\" is defined "

More information about the nginx-devel mailing list