[PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives
Piotr Sikora
piotr at cloudflare.com
Fri Feb 7 02:40:29 UTC 2014
Hey Maxim,
> I think that automatic checking peer name is how it should work (I
> believe examples above imply this, please let me know if you need
> more clarification on the proposal above). Moreover, I think it
> should complain if verify is on but checking isn't supported, and
> ask administrator to explicitly switch off peer name check.
>
> I strongly disagree with the idea of verify being on by default
> though, at least for now, it will break too many configurations.
>
> And I also think that there should be a way to at least switch off
> SNI, and do this independently from peer verification.
Got it, I mis-read your previous comment.
To make sure we're on the same page:
- proxy_ssl_name - complex value, defaults to $proxy_host,
- proxy_ssl_verify - on / no_name / off (default) switch, verifies
upstream's certificate and optionally checks that it matches value
from proxy_ssl_name,
- proxy_ssl_server_name - on (default) / off switch, sends value from
proxy_ssl_name to SNI to upstream.
I don't like adding proxy_ssl_verify_name directive just to configure
the host checking logic. IMHO, it's part of the verification process
and should be configureable via proxy_ssl_verify.
I'm also not 100% convinced that we should allow users to configure
proxy_ssl_name... Maybe just force it to $proxy_host?
Does it match your proposal or did I miss something?
Regarding complaining - do we want to re-implement X509_check_host()
(from OpenSSL-1.0.2) or do we want to complain to virtually anybody
that turns upstream SSL verification on?
> My point is that connections can be quite different anyway, and
> e.g. have much different ciphers negotiated (up to eNULL ciphers I
> think). It's up to administrator to configure upstream{} blocks
> appropriately to avoid such clashes if they aren't allowed.
Ah, right, I forgot about the SSL connection parameters.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list