[PATCH] Make ssl upstream server name check configurable

Fri Oct 13 12:23:12 UTC 2017

# HG changeset patch
# User Zhihua Cao <czhihua at vmware.com>
# Date 1507889088 25200
#      Fri Oct 13 03:04:48 2017 -0700
# Node ID cef7fb3f127a2847b3898f8e71d4d445a4b81dd6
# Parent  648b1cca8f50d83eea02a6cc2c105ae95a3f3d72
Make ssl upstream server name check configurable

Now nginx always check if the common name in the certificate sent
from upstream. But they are not always same, if not same,  ssl
handshake will fail.
Now make the check configurable, if proxy_ssl_server_name_check is off,
turn off the check.
The check is turned on by default.

diff -r 648b1cca8f50 -r cef7fb3f127a src/http/modules/ngx_http_proxy_module.c

--- a/src/http/modules/ngx_http_proxy_module.c	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c	Fri Oct 13 03:04:48 2017 -0700
@@ -673,6 +673,13 @@
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
       NULL },
 
+    { ngx_string("proxy_ssl_server_name_check"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name_check),
+      NULL },
+ 
     { ngx_string("proxy_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -2906,6 +2913,7 @@
     conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
     conf->upstream.ssl_server_name = NGX_CONF_UNSET;
     conf->upstream.ssl_verify = NGX_CONF_UNSET;
+    conf->upstream.ssl_server_name_check = NGX_CONF_UNSET;
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
     conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 #endif
@@ -3237,6 +3245,8 @@
                               prev->upstream.ssl_server_name, 0);
     ngx_conf_merge_value(conf->upstream.ssl_verify,
                               prev->upstream.ssl_verify, 0);
+    ngx_conf_merge_value(conf->upstream.ssl_server_name_check,
+                              prev->upstream.ssl_server_name_check, 1);
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
                               prev->ssl_verify_depth, 1);
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
diff -r 648b1cca8f50 -r cef7fb3f127a src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.c	Fri Oct 13 03:04:48 2017 -0700
@@ -1733,7 +1733,8 @@
                 goto failed;
             }
 
-            if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
+            if (u->conf->ssl_server_name_check
+                && ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
                 ngx_log_error(NGX_LOG_ERR, c->log, 0,
                               "upstream SSL certificate does not match \"%V\"",
                               &u->ssl_name);
diff -r 648b1cca8f50 -r cef7fb3f127a src/http/ngx_http_upstream.h
--- a/src/http/ngx_http_upstream.h	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.h	Fri Oct 13 03:04:48 2017 -0700
@@ -229,6 +229,7 @@
     ngx_http_complex_value_t        *ssl_name;
     ngx_flag_t                       ssl_server_name;
     ngx_flag_t                       ssl_verify;
+    ngx_flag_t                       ssl_server_name_check;
 #endif
 
     ngx_str_t                        module;
diff -r 648b1cca8f50 -r cef7fb3f127a src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c	Wed Oct 11 01:23:29 2017 -0700
+++ b/src/stream/ngx_stream_proxy_module.c	Fri Oct 13 03:04:48 2017 -0700
@@ -41,6 +41,7 @@
     ngx_flag_t                       ssl_server_name;
 
     ngx_flag_t                       ssl_verify;
+    ngx_flag_t                       ssl_server_name_check;
     ngx_uint_t                       ssl_verify_depth;
     ngx_str_t                        ssl_trusted_certificate;
     ngx_str_t                        ssl_crl;
@@ -270,6 +271,13 @@
       offsetof(ngx_stream_proxy_srv_conf_t, ssl_verify),
       NULL },
 
+    { ngx_string("proxy_ssl_server_name_check"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      offsetof(ngx_stream_proxy_srv_conf_t, ssl_server_name_check),
+      NULL },
+
     { ngx_string("proxy_ssl_verify_depth"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -1066,7 +1074,8 @@
 
             u = s->upstream;
 
-            if (ngx_ssl_check_host(pc, &u->ssl_name) != NGX_OK) {
+            if (pscf->ssl_server_name_check
+                && ngx_ssl_check_host(pc, &u->ssl_name) != NGX_OK) {
                 ngx_log_error(NGX_LOG_ERR, pc->log, 0,
                               "upstream SSL certificate does not match \"%V\"",
                               &u->ssl_name);
@@ -1852,6 +1861,7 @@
     conf->ssl_session_reuse = NGX_CONF_UNSET;
     conf->ssl_server_name = NGX_CONF_UNSET;
     conf->ssl_verify = NGX_CONF_UNSET;
+    conf->ssl_server_name_check = NGX_CONF_UNSET;
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
     conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 #endif
@@ -1917,6 +1927,8 @@
 
     ngx_conf_merge_value(conf->ssl_verify, prev->ssl_verify, 0);
 
+    ngx_conf_merge_value(conf->ssl_server_name_check, prev->ssl_server_name_check, 1);
+
     ngx_conf_merge_uint_value(conf->ssl_verify_depth,
                               prev->ssl_verify_depth, 1);
 
