Verify Upstream SSL Certs

Maxim Dounin mdounin at mdounin.ru
Wed Aug 28 08:54:03 UTC 2013


Hello!

On Wed, Aug 28, 2013 at 09:20:46AM +0100, Phil Parker wrote:

> This has been discussed in detail previously:
> 
> http://trac.nginx.org/nginx/ticket/13
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
> 
> I have created a patch that I'm using locally and would like to contribute
> but am a first-time contributor so looking for advice.

Given the fact that Aviram Cohen's patch for the same ticket is 
already in the review process, I would suggest you to join 
review/testing instead.

See this thread for details:
http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004085.html

> The way I've implemented it supports two (mutually exclusive) new
> directives on a location. e.g.
> 
> location / {
>     proxy_ssl_peer_certificate_path "/tmp/sslcerts";
>     #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
>     proxy_pass ....
> }
> 
> These are passed through to SSL_CTX_load_verify_locations (
> http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)

Just a side note: we don't provide "_path" variants for other 
certificate verification directives, so it's unlikely it will be 
accepted for a proxy peer verification.

> The main advice I'm looking for:
> 
> 1) Is this implemented in a way that is useful for others?
> 2) Should I be writing tests/test driving? If so, how?

Writing tests may make sense (though not required), test suite is 
available at http://hg.nginx.org/nginx-tests.

> 3) Anything in the patch (below) that needs to be changed (implementation
> or style)?
> 4) How best to submit the patch (I've currently made it against 1.4.2 and
> just created a patch file, not currently a Mercurial user but can check-out
> if necessary)?

Basic recommendations can be found here:

http://nginx.org/en/docs/contributing_changes.html

[...]

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list