[PATCH] SSL: fix order of checks during SSL certificate verification

Piotr Sikora piotrsikora at google.com
Wed Aug 31 22:24:19 UTC 2016

Hey Maxim,

> At this point nginx just uses the interface provided by the
> OpenSSL library, exactly as documented.  The fact that the
> interface is flawed (and documented to be flawed to make sure
> people will use it properly) has nothing to do with nginx use of
> it.

And yet, NGINX doesn't use it properly.

> Your patches assume that there are no conflicts between nginx
> error codes (NGX_OK, NGX_DECLINED) and SSL_get_verify_result()
> error codes.  While this is currently true, this is not something
> I would rely on, even assuming OpenSSL only.

You didn't like the previous approach, when logging was done in
ngx_event_openssl.c (because of the use of "client" and "upstream"),
and you don't like this approach, when logging is done outside of
ngx_event_openssl.c (since the error code must be passed back to the
caller), which is actually one of the solutions you suggested.

Could you tell me what would be acceptable approach, then?

For the record, I don't understand why using "client" in
ngx_ssl_verify_client() and "upstream" in ngx_ssl_verify_host() is a
problem in the first place.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list