[PATCH] SSL: fix order of checks during SSL certificate verification
Piotr Sikora
piotrsikora at google.com
Sat Sep 3 22:27:35 UTC 2016
Hey Maxim,
> No, your are incorrect here. "In connection with" means that
> SSL_get_peer_certificate() should be used, but doesn't require it
> to be used always, in all cases. In particular,
> SSL_get_peer_certificate() is useless when SSL_get_verify_result()
> returns anything but X509_V_OK.
Sigh, why do you insist on checking status of verification of client
certificate that wasn't sent in the first place?
> Because ngx_ssl_verify_host() is expected to be a generic
> function, and it can be used in situations different from talking
> to upstream servers.
Like what, exactly?
Also, for the record, are you fine with "client" in
ngx_ssl_verify_client() or is that also expected to be generic
function?
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list