[PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives

Maxim Dounin mdounin at mdounin.ru
Fri Apr 18 16:52:20 UTC 2014


Hello!

On Wed, Feb 12, 2014 at 08:29:08PM +0400, Maxim Dounin wrote:

> On Tue, Feb 11, 2014 at 01:16:41PM -0800, Piotr Sikora wrote:

[...]

> > > My original suggestion is as follows:
> > >
> > > proxy_ssl_name <value>
> > >
> > >     default: $proxy_host
> > >     complex value, controls a name used in SNI (if
> > >     enabled)
> > >
> > > proxy_ssl_verify on|off
> > >
> > >     default: off
> > >     flag, controls if remote certificate verification is enabled
> > >
> > > proxy_ssl_verify_name on|off
> > >
> > >     default: on
> > >     flag, controls if remote certificate verification needs to
> > >     check peer's name;  must be explicitly switched off
> > >     if certificate verification is switched on, but
> > >     the name can't be checked due to too old OpenSSL
> > 
> > Got it.
> 
> Just a quick note:
> 
> We've discussed this with Igor, and he thinks that peer's name 
> should be always checked, without an ability to check switch the 
> check off selectively.  Mostly to simplify user experience.  This 
> implies that we either need our own peer's name check code, or 
> verification won't work at all if OpenSSL is too old.

Another quick note:

I've committed backend SSL certificate verification code done 
which mostly matches the above description:

http://hg.nginx.org/nginx/rev/7022564a9e0e
http://hg.nginx.org/nginx/rev/060c2e692b96

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list