Ticket #13: proxy_ssl_verify-0.7.67.patch

src/event/ngx_event_openssl.c

@@ -157 +157 @@
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
 
+    /* verification options */
+
+    SSL_CTX_load_verify_locations(ssl->ctx, (const char *)ssl->ca_certificate.data, NULL);
+    SSL_CTX_set_verify(ssl->ctx, ssl->verify, NULL);
+    SSL_CTX_set_verify_depth(ssl->ctx, ssl->verify_depth);
+
     /* server side options */
 
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);

src/event/ngx_event_openssl.h

@@ -27 +27 @@
 typedef struct {
     SSL_CTX                    *ctx;
     ngx_log_t                  *log;
+    ngx_uint_t                  verify;
+    ngx_uint_t                  verify_depth;
+    ngx_str_t                   ca_certificate;
 } ngx_ssl_t;
 
 

src/http/modules/ngx_http_proxy_module.c

@@ -466 +466 @@
       offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),
       NULL },
 
+      { ngx_string("proxy_ssl_verify"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
+      NULL },
+
+      { ngx_string("proxy_ssl_verify_depth"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify_depth),
+      NULL },
+
+      { ngx_string("proxy_ssl_ca_certificate"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_ca_certificate),
+      NULL },
+
 #endif
 
       ngx_null_command
@@ -1950 +1971 @@
     conf->upstream.intercept_errors = NGX_CONF_UNSET;
 #if (NGX_HTTP_SSL)
     conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
+    conf->upstream.ssl_verify = NGX_CONF_UNSET_UINT;
+    conf->upstream.ssl_verify_depth = NGX_CONF_UNSET_UINT;
 #endif
 
     /* "proxy_cyclic_temp_file" is disabled */
@@ -2196 +2219 @@
 #if (NGX_HTTP_SSL)
     ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
                               prev->upstream.ssl_session_reuse, 1);
+    ngx_conf_merge_uint_value(conf->upstream.ssl_verify,
+                              prev->upstream.ssl_verify, 0);
+    ngx_conf_merge_uint_value(conf->upstream.ssl_verify_depth,
+                              prev->upstream.ssl_verify_depth, 1);
+    ngx_conf_merge_str_value(conf->upstream.ssl_ca_certificate,
+                              prev->upstream.ssl_ca_certificate, "");
+
+    if (conf->upstream.ssl_verify) {
+      if (conf->upstream.ssl_ca_certificate.len == 0) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+            "no \"proxy_ssl_ca_certificate\" is defined for "
+            "the \"proxy_ssl_verify\" directive");
+
+        return NGX_CONF_ERROR;
+      }
+    }
 #endif
 
     ngx_conf_merge_value(conf->redirect, prev->redirect, 1);
@@ -3011 +3050 @@
 
     plcf->upstream.ssl->log = cf->log;
 
+    plcf->upstream.ssl->ca_certificate.len = plcf->upstream.ssl_ca_certificate.len;
+    plcf->upstream.ssl->ca_certificate.data = plcf->upstream.ssl_ca_certificate.data;
+
+    plcf->upstream.ssl->verify = plcf->upstream.ssl_verify;
+    plcf->upstream.ssl->verify_depth = plcf->upstream.ssl_verify_depth;
+
     if (ngx_ssl_create(plcf->upstream.ssl,
                        NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL)
         != NGX_OK)

src/http/ngx_http_upstream.h

@@ -173 +173 @@
 #if (NGX_HTTP_SSL)
     ngx_ssl_t                       *ssl;
     ngx_flag_t                       ssl_session_reuse;
+    ngx_uint_t                       ssl_verify;
+    ngx_uint_t                       ssl_verify_depth;
+    ngx_str_t                        ssl_ca_certificate;
 #endif
 
 } ngx_http_upstream_conf_t;