[PATCH] SSL: fix order of checks during SSL certificate verification

Maxim Dounin mdounin at mdounin.ru
Mon Sep 5 14:16:03 UTC 2016


On Sat, Sep 03, 2016 at 03:27:35PM -0700, Piotr Sikora wrote:

> Hey Maxim,
> > No, your are incorrect here.  "In connection with" means that
> > SSL_get_peer_certificate() should be used, but doesn't require it
> > to be used always, in all cases.  In particular,
> > SSL_get_peer_certificate() is useless when SSL_get_verify_result()
> > returns anything but X509_V_OK.
> Sigh, why do you insist on checking status of verification of client
> certificate that wasn't sent in the first place?

It's not me who insist on anything.  It's you who insist that the 
current code is wrong.  It's not.

> > Because ngx_ssl_verify_host() is expected to be a generic
> > function, and it can be used in situations different from talking
> > to upstream servers.
> Like what, exactly?

For example, it can be used to verify a host of auth_http server 
in mail, or OCSP responder - if we'll implement SSL there.

> Also, for the record, are you fine with "client" in
> ngx_ssl_verify_client() or is that also expected to be generic
> function?

Yes, more or less.  I'm not fine with the ngx_ssl_verify_client() 
implementation as suggested in patches I've seen so far, as it 
seems too biased to the current use of client verification in http 
module, but it's a different question.

Maxim Dounin

More information about the nginx-devel mailing list