[nginx] SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 5 20:01:56 UTC 2016
details: http://hg.nginx.org/nginx/rev/379139020d36
branches:
changeset: 6814:379139020d36
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Dec 05 22:23:22 2016 +0300
description:
SSL: $ssl_client_verify extended with a failure reason.
Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".
Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.
diffstat:
src/event/ngx_event_openssl.c | 32 +++++++++++++++++++++-----------
1 files changed, 21 insertions(+), 11 deletions(-)
diffs (48 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3717,23 +3717,33 @@ ngx_ssl_get_fingerprint(ngx_connection_t
ngx_int_t
ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
- X509 *cert;
-
- if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
- ngx_str_set(s, "FAILED");
+ X509 *cert;
+ long rc;
+ const char *str;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ ngx_str_set(s, "NONE");
return NGX_OK;
}
- cert = SSL_get_peer_certificate(c->ssl->connection);
-
- if (cert) {
+ X509_free(cert);
+
+ rc = SSL_get_verify_result(c->ssl->connection);
+
+ if (rc == X509_V_OK) {
ngx_str_set(s, "SUCCESS");
-
- } else {
- ngx_str_set(s, "NONE");
+ return NGX_OK;
}
- X509_free(cert);
+ str = X509_verify_cert_error_string(rc);
+
+ s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
return NGX_OK;
}
More information about the nginx-devel
mailing list