[nginx] Upstream: proxy_ssl_verify and friends.
Maxim Dounin
mdounin at mdounin.ru
Fri Apr 18 16:33:41 UTC 2014
details: http://hg.nginx.org/nginx/rev/060c2e692b96
branches:
changeset: 5661:060c2e692b96
user: Maxim Dounin <mdounin at mdounin.ru>
date: Fri Apr 18 20:13:30 2014 +0400
description:
Upstream: proxy_ssl_verify and friends.
diffstat:
src/event/ngx_event_openssl.c | 164 +++++++++++++++++++++++++++++++
src/event/ngx_event_openssl.h | 2 +
src/http/modules/ngx_http_proxy_module.c | 62 +++++++++++
src/http/ngx_http_upstream.c | 27 ++++-
src/http/ngx_http_upstream.h | 1 +
5 files changed, 255 insertions(+), 1 deletions(-)
diffs (truncated from 376 to 300 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -44,6 +44,10 @@ static int ngx_ssl_session_ticket_key_ca
HMAC_CTX *hctx, int enc);
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10002001L
+static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
+#endif
+
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle);
@@ -2487,6 +2491,166 @@ ngx_ssl_cleanup_ctx(void *data)
ngx_int_t
+ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
+{
+ X509 *cert;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ return NGX_ERROR;
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002001L
+
+ /* X509_check_host() is only available in OpenSSL 1.0.2+ */
+
+ if (X509_check_host(cert, name->data, name->len, 0) != 1) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "X509_check_host(): no match");
+ goto failed;
+ }
+
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "X509_check_host(): match");
+
+ goto found;
+
+#else
+ {
+ int n, i;
+ X509_NAME *sname;
+ ASN1_STRING *str;
+ X509_NAME_ENTRY *entry;
+ GENERAL_NAME *altname;
+ STACK_OF(GENERAL_NAME) *altnames;
+
+ /*
+ * As per RFC6125 and RFC2818, we check subjectAltName extension,
+ * and if it's not present - commonName in Subject is checked.
+ */
+
+ altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+ if (altnames) {
+ n = sk_GENERAL_NAME_num(altnames);
+
+ for (i = 0; i < n; i++) {
+ altname = sk_GENERAL_NAME_value(altnames, i);
+
+ if (altname->type != GEN_DNS) {
+ continue;
+ }
+
+ str = altname->d.dNSName;
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: \"%*s\"",
+ ASN1_STRING_length(str), ASN1_STRING_data(str));
+
+ if (ngx_ssl_check_name(name, str) == NGX_OK) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: match");
+ GENERAL_NAMES_free(altnames);
+ goto found;
+ }
+ }
+
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL subjectAltName: no match");
+
+ GENERAL_NAMES_free(altnames);
+ goto failed;
+ }
+
+ /*
+ * If there is no subjectAltName extension, check commonName
+ * in Subject. While RFC2818 requires to only check "most specific"
+ * CN, both Apache and OpenSSL check all CNs, and so do we.
+ */
+
+ sname = X509_get_subject_name(cert);
+
+ if (sname == NULL) {
+ goto failed;
+ }
+
+ i = -1;
+ for ( ;; ) {
+ i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
+
+ if (i < 0) {
+ break;
+ }
+
+ entry = X509_NAME_get_entry(sname, i);
+ str = X509_NAME_ENTRY_get_data(entry);
+
+ ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL commonName: \"%*s\"",
+ ASN1_STRING_length(str), ASN1_STRING_data(str));
+
+ if (ngx_ssl_check_name(name, str) == NGX_OK) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL commonName: match");
+ goto found;
+ }
+ }
+
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL commonName: no match");
+ }
+#endif
+
+failed:
+
+ X509_free(cert);
+ return NGX_ERROR;
+
+found:
+
+ X509_free(cert);
+ return NGX_OK;
+}
+
+
+#if OPENSSL_VERSION_NUMBER < 0x10002001L
+
+static ngx_int_t
+ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
+{
+ u_char *s, *p, *end;
+ size_t slen, plen;
+
+ s = name->data;
+ slen = name->len;
+
+ p = ASN1_STRING_data(pattern);
+ plen = ASN1_STRING_length(pattern);
+
+ if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
+ return NGX_OK;
+ }
+
+ if (plen > 2 && p[0] == '*' && p[1] == '.') {
+ plen -= 1;
+ p += 1;
+
+ end = s + slen;
+ s = ngx_strlchr(s, end, '.');
+ slen = end - s;
+
+ if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
+ return NGX_OK;
+ }
+ }
+
+ return NGX_ERROR;
+}
+
+#endif
+
+
+ngx_int_t
ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
s->data = (u_char *) SSL_get_version(c->ssl->connection);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -150,6 +150,8 @@ ngx_int_t ngx_ssl_set_session(ngx_connec
|| n == X509_V_ERR_CERT_UNTRUSTED \
|| n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
+ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
+
ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -81,6 +81,9 @@ typedef struct {
ngx_uint_t ssl;
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
+ ngx_uint_t ssl_verify_depth;
+ ngx_str_t ssl_trusted_certificate;
+ ngx_str_t ssl_crl;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -567,6 +570,34 @@ static ngx_command_t ngx_http_proxy_com
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name),
NULL },
+ { ngx_string("proxy_ssl_verify"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
+ NULL },
+
+ { ngx_string("proxy_ssl_verify_depth"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth),
+ NULL },
+
+ { ngx_string("proxy_ssl_trusted_certificate"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate),
+ NULL },
+
+ { ngx_string("proxy_ssl_crl"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
+ NULL },
+
#endif
ngx_null_command
@@ -2418,6 +2449,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
+ * conf->ssl_trusted_certificate = { 0, NULL };
+ * conf->ssl_crl = { 0, NULL };
*/
conf->upstream.store = NGX_CONF_UNSET;
@@ -2460,6 +2493,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
#if (NGX_HTTP_SSL)
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
+ conf->upstream.ssl_verify = NGX_CONF_UNSET;
+ conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
#endif
/* "proxy_cyclic_temp_file" is disabled */
@@ -2749,6 +2784,13 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0);
+ ngx_conf_merge_value(conf->upstream.ssl_verify,
+ prev->upstream.ssl_verify, 0);
+ ngx_conf_merge_uint_value(conf->ssl_verify_depth,
+ prev->ssl_verify_depth, 1);
+ ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
+ prev->ssl_trusted_certificate, "");
+ ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
@@ -3818,6 +3860,26 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
return NGX_ERROR;
}
+ if (plcf->upstream.ssl_verify) {
+ if (plcf->ssl_trusted_certificate.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no proxy_ssl_trusted_certificate for proxy_ssl_verify");
+ return NGX_ERROR;
+ }
+
+ if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
+ &plcf->ssl_trusted_certificate,
+ plcf->ssl_verify_depth)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
More information about the nginx-devel
mailing list