Hello!

On Wed, Feb 12, 2014 at 08:29:08PM +0400, Maxim Dounin wrote:

> On Tue, Feb 11, 2014 at 01:16:41PM -0800, Piotr Sikora wrote:

[...]

> > > My original suggestion is as follows:
> > >
> > > proxy_ssl_name <value>
> > >
> > > default: $proxy_host
> > > complex value, controls a name used in SNI (if
> > > enabled)
> > >
> > > proxy_ssl_verify on|off
> > >
> > > default: off
> > > flag, controls if remote certificate verification is enabled
> > >
> > > proxy_ssl_verify_name on|off
> > >
> > > default: on
> > > flag, controls if remote certificate verification needs to
> > > check peer's name; must be explicitly switched off
> > > if certificate verification is switched on, but
> > > the name can't be checked due to too old OpenSSL
> >
> > Got it.
>
> Just a quick note:
>
> We've discussed this with Igor, and he thinks that peer's name
> should be always checked, without an ability to check switch the
> check off selectively. Mostly to simplify user experience. This
> implies that we either need our own peer's name check code, or
> verification won't work at all if OpenSSL is too old.

Another quick note:

I've committed backend SSL certificate verification code done
which mostly matches the above description:

http://hg.nginx.org/nginx/rev/7022564a9e0e
http://hg.nginx.org/nginx/rev/060c2e692b96

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel