[PATCH] SSL: fix order of checks during SSL certificate verification

Piotr Sikora piotrsikora at google.com
Sat Sep 3 22:27:35 UTC 2016

Hey Maxim,

> No, your are incorrect here.  "In connection with" means that
> SSL_get_peer_certificate() should be used, but doesn't require it
> to be used always, in all cases.  In particular,
> SSL_get_peer_certificate() is useless when SSL_get_verify_result()
> returns anything but X509_V_OK.

Sigh, why do you insist on checking status of verification of client
certificate that wasn't sent in the first place?

> Because ngx_ssl_verify_host() is expected to be a generic
> function, and it can be used in situations different from talking
> to upstream servers.

Like what, exactly?

Also, for the record, are you fine with "client" in
ngx_ssl_verify_client() or is that also expected to be generic

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list