Verify Upstream SSL Certs

[Maxim Dounin]

Hello!

On Wed, Aug 28, 2013 at 04:45:38PM +0100, Phil Parker wrote:

[...]

> It might be worth adding a comment to the trac ticket and the previous
> (dead, I think) patch thread I found above so people can "follow the
> breadcrumbs"?

Sure, I've added a couple of links there.

> > See this thread for details:
> > http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004085.html
> >
> 
> I've downloaded this and managed to patch/compile on:
> 
> nginx version: nginx/1.4.2
> Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64
> GNU/Linux
> 
> I specified proxy_ssl_verify and proxy_ssl_trusted_certificate (I tried
> this with both specifying a single cert, which worked with my previous
> patch, and a combined cert via 'openssl x509 -in cert1.pem -text >>
> CAfile.pem') but got the following error when trying to proxy:
> 
> [error] 14716#0: *1 upstream sslcertificate validation failed while SSL
> handshaking to upstream
> 
> This message doesn't match the one in the patch (which is just "upstream
> sslcertificate validation failed" but a search led me to

The message is different as "while <log->action>" is added 
automatically by ngx_http_log_error().

One of the comments I've made during last review is that error 
messages should be improved.  :)

[...]

> One additional point is it looks from the patch like if you don't specify
> 'proxy_ssl_verify_depth' it defaults to 1 but the Open SSL documentation
> states it defaults to 9
> http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES.
> 
> I'd suggest if it's not specified in an nginx directive then the default
> should be that of open ssl (the Principle of Least Astonishment
> applies....).

The ssl_verify_depth defaults to 1, as well as Apache's 
SSLProxyVerifyDepth.  So I tend to think that using different 
default for proxy_ssl_verify_depth will actually break POLA.

-- 
Maxim Dounin
http://nginx.org/en/donation.html