[PATCH] Proxy remote server SSL certificate verification
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 2 12:09:59 UTC 2013
Hello!
On Sun, Sep 01, 2013 at 11:19:06AM +0300, Aviram Cohen wrote:
> Hello!
>
> On Wed, Aug 28, 2013 at 3:41 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Hello!
> >
> [...]
> >
> > if (conf->upstream.ssl
> > && ngx_ssl_trusted_certificate(cf, conf->upstream.ssl,
> > &conf->upstream.ssl_certificate
> > conf->upstream.ssl_verify_depth)
> > != NGX_OK)
> > {
> > ...
> > }
> >
> > Additional question is what happens in a configuration like
> >
> > location / {
> > proxy_pass https://example.com;
> > proxy_ssl_verify on;
> > proxy_ssl_trusted_ceritifcate example.crt;
> >
> > if ($foo) {
> > # do nothing
> > }
> > }
> >
> > or the same with a nested location instead of "if". Quick look
> > suggest it will result in trusted certs loaded twice (and stale
> > alerts later due to how OpenSSL handles this).
> >
>
> I have tried this configuration (and also a nested location), and didn't
> see that Nginx loaded the same certificate twice (I've actually put
> a breakpoint on the if clause in which ngx_ssl_trusted_certificate
> is called, and it was called only once for the location.
>
> Can you specify exactly how to reproduce this case?
I was probably wrong here, as the code you added is before the
conf->upstream.ssl is inherited.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list