[PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives
Maxim Dounin
mdounin at mdounin.ru
Fri Apr 18 16:52:20 UTC 2014
Hello!
On Wed, Feb 12, 2014 at 08:29:08PM +0400, Maxim Dounin wrote:
> On Tue, Feb 11, 2014 at 01:16:41PM -0800, Piotr Sikora wrote:
[...]
> > > My original suggestion is as follows:
> > >
> > > proxy_ssl_name <value>
> > >
> > > default: $proxy_host
> > > complex value, controls a name used in SNI (if
> > > enabled)
> > >
> > > proxy_ssl_verify on|off
> > >
> > > default: off
> > > flag, controls if remote certificate verification is enabled
> > >
> > > proxy_ssl_verify_name on|off
> > >
> > > default: on
> > > flag, controls if remote certificate verification needs to
> > > check peer's name; must be explicitly switched off
> > > if certificate verification is switched on, but
> > > the name can't be checked due to too old OpenSSL
> >
> > Got it.
>
> Just a quick note:
>
> We've discussed this with Igor, and he thinks that peer's name
> should be always checked, without an ability to check switch the
> check off selectively. Mostly to simplify user experience. This
> implies that we either need our own peer's name check code, or
> verification won't work at all if OpenSSL is too old.
Another quick note:
I've committed backend SSL certificate verification code done
which mostly matches the above description:
http://hg.nginx.org/nginx/rev/7022564a9e0e
http://hg.nginx.org/nginx/rev/060c2e692b96
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list