Verify Upstream SSL Certs
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 28 08:54:03 UTC 2013
Hello!
On Wed, Aug 28, 2013 at 09:20:46AM +0100, Phil Parker wrote:
> This has been discussed in detail previously:
>
> http://trac.nginx.org/nginx/ticket/13
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
>
> I have created a patch that I'm using locally and would like to contribute
> but am a first-time contributor so looking for advice.
Given the fact that Aviram Cohen's patch for the same ticket is
already in the review process, I would suggest you to join
review/testing instead.
See this thread for details:
http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004085.html
> The way I've implemented it supports two (mutually exclusive) new
> directives on a location. e.g.
>
> location / {
> proxy_ssl_peer_certificate_path "/tmp/sslcerts";
> #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
> proxy_pass ....
> }
>
> These are passed through to SSL_CTX_load_verify_locations (
> http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)
Just a side note: we don't provide "_path" variants for other
certificate verification directives, so it's unlikely it will be
accepted for a proxy peer verification.
> The main advice I'm looking for:
>
> 1) Is this implemented in a way that is useful for others?
> 2) Should I be writing tests/test driving? If so, how?
Writing tests may make sense (though not required), test suite is
available at http://hg.nginx.org/nginx-tests.
> 3) Anything in the patch (below) that needs to be changed (implementation
> or style)?
> 4) How best to submit the patch (I've currently made it against 1.4.2 and
> just created a patch file, not currently a Mercurial user but can check-out
> if necessary)?
Basic recommendations can be found here:
http://nginx.org/en/docs/contributing_changes.html
[...]
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list