[PATCH] Make ssl upstream server name check configurable

Maxim Dounin mdounin at mdounin.ru
Fri Oct 13 13:20:33 UTC 2017


Hello!

On Fri, Oct 13, 2017 at 05:23:12AM -0700, Zhihua Cao wrote:

> # HG changeset patch
> # User Zhihua Cao <czhihua at vmware.com>
> # Date 1507889088 25200
> #      Fri Oct 13 03:04:48 2017 -0700
> # Node ID cef7fb3f127a2847b3898f8e71d4d445a4b81dd6
> # Parent  648b1cca8f50d83eea02a6cc2c105ae95a3f3d72
> Make ssl upstream server name check configurable
> 
> Now nginx always check if the common name in the certificate sent
> from upstream. But they are not always same, if not same,  ssl
> handshake will fail.
> Now make the check configurable, if proxy_ssl_server_name_check is off,
> turn off the check.
> The check is turned on by default.

The "proxy_ssl_name" directive can be used to adjust the name 
nginx asks for (if Server Name Indication is enabled) and verifies 
in the response, see http://nginx.org/r/proxy_ssl_name.  If you 
think it is not enough, please explain the use case you are trying 
to use it for.

(Also, please avoid replying to mailing list digests.  It breaks 
threads and generally makes conversations very inconvenient.)

[...]

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list