[PATCH 1 of 6] SSL: define NGX_SSL_VERIFY constants
Piotr Sikora
piotrsikora at google.com
Thu Aug 18 00:29:22 UTC 2016
# HG changeset patch
# User Piotr Sikora <piotrsikora at google.com>
# Date 1471428975 25200
# Wed Aug 17 03:16:15 2016 -0700
# Node ID 653b04653271346c63ab5f3daced807228eed5ac
# Parent c131f20c9562387f94a268440594c288725d3ba8
SSL: define NGX_SSL_VERIFY constants.
No binary changes.
Signed-off-by: Piotr Sikora <piotrsikora at google.com>
diff -r c131f20c9562 -r 653b04653271 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -125,17 +125,21 @@ typedef struct {
#endif
-#define NGX_SSL_SSLv2 0x0002
-#define NGX_SSL_SSLv3 0x0004
-#define NGX_SSL_TLSv1 0x0008
-#define NGX_SSL_TLSv1_1 0x0010
-#define NGX_SSL_TLSv1_2 0x0020
+#define NGX_SSL_SSLv2 0x0002
+#define NGX_SSL_SSLv3 0x0004
+#define NGX_SSL_TLSv1 0x0008
+#define NGX_SSL_TLSv1_1 0x0010
+#define NGX_SSL_TLSv1_2 0x0020
+#define NGX_SSL_VERIFY_OFF 0
+#define NGX_SSL_VERIFY_REQUIRED 1
+#define NGX_SSL_VERIFY_OPTIONAL 2
+#define NGX_SSL_VERIFY_OPTIONAL_NO_CA 3
-#define NGX_SSL_BUFFER 1
-#define NGX_SSL_CLIENT 2
+#define NGX_SSL_BUFFER 1
+#define NGX_SSL_CLIENT 2
-#define NGX_SSL_BUFSIZE 16384
+#define NGX_SSL_BUFSIZE 16384
ngx_int_t ngx_ssl_init(ngx_log_t *log);
diff -r c131f20c9562 -r 653b04653271 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -62,10 +62,10 @@ static ngx_conf_bitmask_t ngx_http_ssl_
static ngx_conf_enum_t ngx_http_ssl_verify[] = {
- { ngx_string("off"), 0 },
- { ngx_string("on"), 1 },
- { ngx_string("optional"), 2 },
- { ngx_string("optional_no_ca"), 3 },
+ { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+ { ngx_string("on"), NGX_SSL_VERIFY_REQUIRED },
+ { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+ { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
{ ngx_null_string, 0 }
};
@@ -570,7 +570,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
- ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+ ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
@@ -700,7 +700,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0
+ && conf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
diff -r c131f20c9562 -r 653b04653271 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1862,7 +1862,8 @@ ngx_http_process_request(ngx_http_reques
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sscf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sscf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+ || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -1875,7 +1876,7 @@ ngx_http_process_request(ngx_http_reques
return;
}
- if (sscf->verify == 1) {
+ if (sscf->verify == NGX_SSL_VERIFY_REQUIRED) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
diff -r c131f20c9562 -r 653b04653271 src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -296,7 +296,8 @@ ngx_mail_verify_cert(ngx_mail_session_t
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
- && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc)))
+ && (sslcf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA
+ || !ngx_ssl_verify_error_optional(rc)))
{
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client SSL certificate verify error: (%l:%s)",
@@ -316,7 +317,7 @@ ngx_mail_verify_cert(ngx_mail_session_t
return NGX_ERROR;
}
- if (sslcf->verify == 1) {
+ if (sslcf->verify == NGX_SSL_VERIFY_REQUIRED) {
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
diff -r c131f20c9562 -r 653b04653271 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -47,10 +47,10 @@ static ngx_conf_bitmask_t ngx_mail_ssl_
static ngx_conf_enum_t ngx_mail_ssl_verify[] = {
- { ngx_string("off"), 0 },
- { ngx_string("on"), 1 },
- { ngx_string("optional"), 2 },
- { ngx_string("optional_no_ca"), 3 },
+ { ngx_string("off"), NGX_SSL_VERIFY_OFF },
+ { ngx_string("on"), NGX_SSL_VERIFY_REQUIRED },
+ { ngx_string("optional"), NGX_SSL_VERIFY_OPTIONAL },
+ { ngx_string("optional_no_ca"), NGX_SSL_VERIFY_OPTIONAL_NO_CA },
{ ngx_null_string, 0 }
};
@@ -287,7 +287,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
- ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+ ngx_conf_merge_uint_value(conf->verify, prev->verify, NGX_SSL_VERIFY_OFF);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
@@ -395,7 +395,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->client_certificate.len == 0
+ && conf->verify != NGX_SSL_VERIFY_OPTIONAL_NO_CA)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
More information about the nginx-devel
mailing list