[PATCH] Proxy remote server SSL certificate verification
Aviram Cohen
aviram at adallom.com
Sun Sep 1 08:19:06 UTC 2013
Hello!
On Wed, Aug 28, 2013 at 3:41 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
[...]
>
> if (conf->upstream.ssl
> && ngx_ssl_trusted_certificate(cf, conf->upstream.ssl,
> &conf->upstream.ssl_certificate
> conf->upstream.ssl_verify_depth)
> != NGX_OK)
> {
> ...
> }
>
> Additional question is what happens in a configuration like
>
> location / {
> proxy_pass https://example.com;
> proxy_ssl_verify on;
> proxy_ssl_trusted_ceritifcate example.crt;
>
> if ($foo) {
> # do nothing
> }
> }
>
> or the same with a nested location instead of "if". Quick look
> suggest it will result in trusted certs loaded twice (and stale
> alerts later due to how OpenSSL handles this).
>
I have tried this configuration (and also a nested location), and didn't
see that Nginx loaded the same certificate twice (I've actually put
a breakpoint on the if clause in which ngx_ssl_trusted_certificate
is called, and it was called only once for the location.
Can you specify exactly how to reproduce this case?
Regards,
Aviram
More information about the nginx-devel
mailing list