details: http://hg.nginx.org/nginx/rev/6a7c6973d6fc
branches:
changeset: 5990:6a7c6973d6fc
user: Sergey Kandaurov <pluknet@nginx.com>
date: Fri Feb 27 16:28:31 2015 +0300
description:
Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.

Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.

diffstat:

src/mail/ngx_mail_auth_http_module.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)

diffs (39 lines):

diff -r ec01b1d1fff1 -r 6a7c6973d6fc src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Wed Feb 25 17:48:05 2015 +0300
+++ b/src/mail/ngx_mail_auth_http_module.c Fri Feb 27 16:28:31 2015 +0300
@@ -1155,6 +1155,7 @@ ngx_mail_auth_http_create_request(ngx_ma
ngx_str_t verify, subject, issuer, serial, fingerprint,
raw_cert, cert;
ngx_connection_t *c;
+ ngx_mail_ssl_conf_t *sslcf;
#endif
ngx_mail_core_srv_conf_t *cscf;

@@ -1169,8 +1170,9 @@ ngx_mail_auth_http_create_request(ngx_ma
#if (NGX_MAIL_SSL)

c = s->connection;
+ sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);

- if (c->ssl) {
+ if (c->ssl && sslcf->verify) {

/* certificate details */

@@ -1339,10 +1341,12 @@ ngx_mail_auth_http_create_request(ngx_ma
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
sizeof("Auth-SSL: on" CRLF) - 1);

- b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
- sizeof("Auth-SSL-Verify: ") - 1);
- b->last = ngx_copy(b->last, verify.data, verify.len);
- *b->last++ = CR; *b->last++ = LF;
+ if (verify.len) {
+ b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
+ sizeof("Auth-SSL-Verify: ") - 1);
+ b->last = ngx_copy(b->last, verify.data, verify.len);
+ *b->last++ = CR; *b->last++ = LF;
+ }

if (subject.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Subject: ",

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel