# HG changeset patch
# User Zhihua Cao <czhihua@vmware.com>
# Date 1507889088 25200
# Fri Oct 13 03:04:48 2017 -0700
# Node ID d3ea6fe7edb19f55896ec1b77f76d23b7fb598a4
# Parent 648b1cca8f50d83eea02a6cc2c105ae95a3f3d72
Make ssl upstream server name check configurable

Now when nginx always check common name in upstream's certificate with
upstream.ssl_name. But they are not always same, it check fails, ssl
handshake will fail. If proxy_ssl_server_name_check is off, turn off
the check.

diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c Fri Oct 13 03:04:48 2017 -0700
@@ -673,6 +673,13 @@
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
NULL },

+ { ngx_string("proxy_ssl_server_name_check"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name_check),
+ NULL },
+
{ ngx_string("proxy_ssl_verify_depth"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_num_slot,
@@ -2906,6 +2913,7 @@
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
+ conf->upstream.ssl_server_name_check = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
#endif
@@ -3237,6 +3245,8 @@
prev->upstream.ssl_server_name, 0);
ngx_conf_merge_value(conf->upstream.ssl_verify,
prev->upstream.ssl_verify, 0);
+ ngx_conf_merge_value(conf->upstream.ssl_server_name_check,
+ prev->upstream.ssl_server_name_check, 1);
ngx_conf_merge_uint_value(conf->ssl_verify_depth,
prev->ssl_verify_depth, 1);
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.c Fri Oct 13 03:04:48 2017 -0700
@@ -1733,7 +1733,8 @@
goto failed;
}

- if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
+ if (u->conf->ssl_server_name_check
+ && ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"upstream SSL certificate does not match \"%V\"",
&u->ssl_name);
diff -r 648b1cca8f50 -r d3ea6fe7edb1 src/http/ngx_http_upstream.h
--- a/src/http/ngx_http_upstream.h Wed Oct 11 01:23:29 2017 -0700
+++ b/src/http/ngx_http_upstream.h Fri Oct 13 03:04:48 2017 -0700
@@ -229,6 +229,7 @@
ngx_http_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name;
ngx_flag_t ssl_verify;
+ ngx_flag_t ssl_server_name_check;
#endif

ngx_str_t module;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel