[PATCH] Proxy remote server SSL certificate verification

Aviram Cohen aviram at adallom.com
Sun Sep 1 08:19:06 UTC 2013


Hello!

On Wed, Aug 28, 2013 at 3:41 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
[...]
>
>     if (conf->upstream.ssl
>         && ngx_ssl_trusted_certificate(cf, conf->upstream.ssl,
>                                        &conf->upstream.ssl_certificate
>                                        conf->upstream.ssl_verify_depth)
>            != NGX_OK)
>     {
>         ...
>     }
>
> Additional question is what happens in a configuration like
>
>     location / {
>         proxy_pass https://example.com;
>         proxy_ssl_verify on;
>         proxy_ssl_trusted_ceritifcate example.crt;
>
>         if ($foo) {
>             # do nothing
>         }
>     }
>
> or the same with a nested location instead of "if".  Quick look
> suggest it will result in trusted certs loaded twice (and stale
> alerts later due to how OpenSSL handles this).
>

I have tried this configuration (and also a nested location), and didn't
see that Nginx loaded the same certificate twice (I've actually put
a breakpoint on the if clause in which ngx_ssl_trusted_certificate
is called, and it was called only once for the location.

Can you specify exactly how to reproduce this case?

Regards,
Aviram



More information about the nginx-devel mailing list