[PATCH] SSL: fix order of checks during SSL certificate verification
Piotr Sikora
piotrsikora at google.com
Fri Sep 2 23:18:53 UTC 2016
Hey Maxim,
> You are misreading the BUGS section. It doesn't say that
> SSL_get_peer_certificate() must be always called when
> SSL_get_verify_result() is called. It says that SSL_get_verify_result() is
> only useful in connection with SSL_get_peer_certificate().
Those 2 sentences are mutually exclusive, if result of
SSL_get_verify_result() is useless without SSL_get_peer_certificate(),
then those two should be called together, or more precisely,
SSL_get_peer_certificate() should be called before
SSL_get_verify_result().
Also, for what it's worth, NGINX & netty-tcnative are the only two
consumers of this OpenSSL API (that we link against BoringSSL) that
use those functions in this order.
> The difference between ngx_ssl_error() and what you've suggested
> is that ngx_ssl_error() doesn't try to cast errors to an nginx rc
> value. Instead, it uses the error stack saved in the relevant
> connection object.
Except that SSL_get_verify_result() doesn't save its result on the
error stack, so what I suggested is as close to ngx_ssl_error() as
possible.
> As previously suggested, it might be a good solution to use "peer", as
> already used in serveral error messages in ngx_event_openssl.c
Again, could you elaborate why the use of "client" in
ngx_ssl_verify_client() and "upstream" in ngx_ssl_verify_host() is
wrong?
IMHO, the only case in which "peer" would make sense is if we wanted
to introduce common ngx_ssl_verify_peer() function that handles both
cases, which I don't think is a good idea.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list