This has been discussed in detail previously:

http://trac.nginx.org/nginx/ticket/13
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html

I have created a patch that I'm using locally and would like to contribute
but am a first-time contributor so looking for advice.

The way I've implemented it supports two (mutually exclusive) new
directives on a location. e.g.

location / {
proxy_ssl_peer_certificate_path "/tmp/sslcerts";
#proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
proxy_pass ....
}

These are passed through to SSL_CTX_load_verify_locations (
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)

The main advice I'm looking for:

1) Is this implemented in a way that is useful for others?
2) Should I be writing tests/test driving? If so, how?
3) Anything in the patch (below) that needs to be changed (implementation
or style)?
4) How best to submit the patch (I've currently made it against 1.4.2 and
just created a patch file, not currently a Mercurial user but can check-out
if necessary)?


Thx,

P.

diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.c
src/event/ngx_event_openssl.c
--- ../nginx-1.4.2/src/event/ngx_event_openssl.c 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.c 2013-08-28 08:21:26.062300918 +0100
@@ -228,6 +228,30 @@

SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);

+ if (ssl->ca_certificate_file.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, (const char *)
+ ssl->ca_certificate_file.data, NULL
+ ) == 0){
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_load_verify_locations(ctx, \"%s\", NULL)
failed",
+ (const char *)ssl->ca_certificate_file.data);
+ return NGX_ERROR;
+ }
+ }
+
+ if (ssl->ca_certificate_path.len > 0) {
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, NULL);
+ if (SSL_CTX_load_verify_locations(ssl->ctx, NULL,
+ (const char *)
+ ssl->ca_certificate_path.data) == 0){
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_load_verify_locations(ctx, NULL, \"%s\")
failed",
+ (const char *)ssl->ca_certificate_path.data);
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}

diff -uNr ../nginx-1.4.2/src/event/ngx_event_openssl.h
src/event/ngx_event_openssl.h
--- ../nginx-1.4.2/src/event/ngx_event_openssl.h 2013-07-17
13:51:21.000000000 +0100
+++ src/event/ngx_event_openssl.h 2013-08-28 08:21:26.074300918 +0100
@@ -29,6 +29,8 @@
typedef struct {
SSL_CTX *ctx;
ngx_log_t *log;
+ ngx_str_t ca_certificate_file;
+ ngx_str_t ca_certificate_path;
} ngx_ssl_t;


diff -uNr ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c
src/http/modules/ngx_http_proxy_module.c
--- ../nginx-1.4.2/src/http/modules/ngx_http_proxy_module.c 2013-07-17
13:51:22.000000000 +0100
+++ src/http/modules/ngx_http_proxy_module.c 2013-08-28 08:21:26.074300918
+0100
@@ -511,6 +511,20 @@
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),
NULL },

+ { ngx_string("proxy_ssl_peer_certificate_file"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_file),
+ NULL },
+
+ { ngx_string("proxy_ssl_peer_certificate_path"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_path),
+ NULL },
+
#endif

ngx_null_command
@@ -3742,6 +3756,11 @@

plcf->upstream.ssl->log = cf->log;

+ plcf->upstream.ssl->ca_certificate_file =
+ plcf->upstream.ssl_certificate_file;
+ plcf->upstream.ssl->ca_certificate_path =
+ plcf->upstream.ssl_certificate_path;
+
if (ngx_ssl_create(plcf->upstream.ssl,
NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
diff -uNr ../nginx-1.4.2/src/http/ngx_http_upstream.h
src/http/ngx_http_upstream.h
--- ../nginx-1.4.2/src/http/ngx_http_upstream.h 2013-07-17
13:51:22.000000000 +0100
+++ src/http/ngx_http_upstream.h 2013-08-28 08:21:26.090300917 +0100
@@ -191,6 +191,8 @@
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl;
ngx_flag_t ssl_session_reuse;
+ ngx_str_t ssl_certificate_file;
+ ngx_str_t ssl_certificate_path;
#endif

ngx_str_t module;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel