[PATCH] Proxy remote server SSL certificate verification

Maxim Dounin mdounin at mdounin.ru
Mon Sep 2 12:09:59 UTC 2013


Hello!

On Sun, Sep 01, 2013 at 11:19:06AM +0300, Aviram Cohen wrote:

> Hello!
> 
> On Wed, Aug 28, 2013 at 3:41 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Hello!
> >
> [...]
> >
> >     if (conf->upstream.ssl
> >         && ngx_ssl_trusted_certificate(cf, conf->upstream.ssl,
> >                                        &conf->upstream.ssl_certificate
> >                                        conf->upstream.ssl_verify_depth)
> >            != NGX_OK)
> >     {
> >         ...
> >     }
> >
> > Additional question is what happens in a configuration like
> >
> >     location / {
> >         proxy_pass https://example.com;
> >         proxy_ssl_verify on;
> >         proxy_ssl_trusted_ceritifcate example.crt;
> >
> >         if ($foo) {
> >             # do nothing
> >         }
> >     }
> >
> > or the same with a nested location instead of "if".  Quick look
> > suggest it will result in trusted certs loaded twice (and stale
> > alerts later due to how OpenSSL handles this).
> >
> 
> I have tried this configuration (and also a nested location), and didn't
> see that Nginx loaded the same certificate twice (I've actually put
> a breakpoint on the if clause in which ngx_ssl_trusted_certificate
> is called, and it was called only once for the location.
> 
> Can you specify exactly how to reproduce this case?

I was probably wrong here, as the code you added is before the 
conf->upstream.ssl is inherited.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list