Hello!

On Sat, Sep 03, 2016 at 03:27:35PM -0700, Piotr Sikora wrote:

> Hey Maxim,
>
> > No, your are incorrect here. "In connection with" means that
> > SSL_get_peer_certificate() should be used, but doesn't require it
> > to be used always, in all cases. In particular,
> > SSL_get_peer_certificate() is useless when SSL_get_verify_result()
> > returns anything but X509_V_OK.
>
> Sigh, why do you insist on checking status of verification of client
> certificate that wasn't sent in the first place?

It's not me who insist on anything. It's you who insist that the
current code is wrong. It's not.

> > Because ngx_ssl_verify_host() is expected to be a generic
> > function, and it can be used in situations different from talking
> > to upstream servers.
>
> Like what, exactly?

For example, it can be used to verify a host of auth_http server
in mail, or OCSP responder - if we'll implement SSL there.

> Also, for the record, are you fine with "client" in
> ngx_ssl_verify_client() or is that also expected to be generic
> function?

Yes, more or less. I'm not fine with the ngx_ssl_verify_client()
implementation as suggested in patches I've seen so far, as it
seems too biased to the current use of client verification in http
module, but it's a different question.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel