mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Upstream: proxy_ssl_verify and friends.

Browse Source
This commit is contained in:
Maxim Dounin 2014-04-18 20:13:30 +04:00
parent 59ef4a3417
commit 27475dd7ee
5 changed files with 255 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
src/event/ngx_event_openssl.c
View File

@ -44,6 +44,10 @@ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
HMAC_CTX *hctx, int enc); HMAC_CTX *hctx, int enc);
#endif #endif
#if OPENSSL_VERSION_NUMBER < 0x10002001L
static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
#endif
static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_openssl_exit(ngx_cycle_t *cycle); static void ngx_openssl_exit(ngx_cycle_t *cycle);
@ -2486,6 +2490,166 @@ ngx_ssl_cleanup_ctx(void *data)
} }
ngx_int_t
ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
{
X509 *cert;
cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
return NGX_ERROR;
}
#if OPENSSL_VERSION_NUMBER >= 0x10002001L
/* X509_check_host() is only available in OpenSSL 1.0.2+ */
if (X509_check_host(cert, name->data, name->len, 0) != 1) {
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"X509_check_host(): no match");
goto failed;
}
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"X509_check_host(): match");
goto found;
#else
{
int n, i;
X509_NAME *sname;
ASN1_STRING *str;
X509_NAME_ENTRY *entry;
GENERAL_NAME *altname;
STACK_OF(GENERAL_NAME) *altnames;
/*
* As per RFC6125 and RFC2818, we check subjectAltName extension,
* and if it's not present - commonName in Subject is checked.
*/
altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (altnames) {
n = sk_GENERAL_NAME_num(altnames);
for (i = 0; i < n; i++) {
altname = sk_GENERAL_NAME_value(altnames, i);
if (altname->type != GEN_DNS) {
continue;
}
str = altname->d.dNSName;
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL subjectAltName: \"%*s\"",
ASN1_STRING_length(str), ASN1_STRING_data(str));
if (ngx_ssl_check_name(name, str) == NGX_OK) {
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL subjectAltName: match");
GENERAL_NAMES_free(altnames);
goto found;
}
}
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL subjectAltName: no match");
GENERAL_NAMES_free(altnames);
goto failed;
}
/*
* If there is no subjectAltName extension, check commonName
* in Subject. While RFC2818 requires to only check "most specific"
* CN, both Apache and OpenSSL check all CNs, and so do we.
*/
sname = X509_get_subject_name(cert);
if (sname == NULL) {
goto failed;
}
i = -1;
for ( ;; ) {
i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
if (i < 0) {
break;
}
entry = X509_NAME_get_entry(sname, i);
str = X509_NAME_ENTRY_get_data(entry);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL commonName: \"%*s\"",
ASN1_STRING_length(str), ASN1_STRING_data(str));
if (ngx_ssl_check_name(name, str) == NGX_OK) {
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL commonName: match");
goto found;
}
}
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL commonName: no match");
}
#endif
failed:
X509_free(cert);
return NGX_ERROR;
found:
X509_free(cert);
return NGX_OK;
}
#if OPENSSL_VERSION_NUMBER < 0x10002001L
static ngx_int_t
ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
{
u_char *s, *p, *end;
size_t slen, plen;
s = name->data;
slen = name->len;
p = ASN1_STRING_data(pattern);
plen = ASN1_STRING_length(pattern);
if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
return NGX_OK;
}
if (plen > 2 && p[0] == '*' && p[1] == '.') {
plen -= 1;
p += 1;
end = s + slen;
s = ngx_strlchr(s, end, '.');
slen = end - s;
if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
return NGX_OK;
}
}
return NGX_ERROR;
}
#endif
ngx_int_t ngx_int_t
ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{ {

2
src/event/ngx_event_openssl.h
View File

@ -150,6 +150,8 @@ ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
|| n == X509_V_ERR_CERT_UNTRUSTED \ || n == X509_V_ERR_CERT_UNTRUSTED \
|| n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) || n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s); ngx_str_t *s);

62
src/http/modules/ngx_http_proxy_module.c
View File

@ -81,6 +81,9 @@ typedef struct {
ngx_uint_t ssl; ngx_uint_t ssl;
ngx_uint_t ssl_protocols; ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers; ngx_str_t ssl_ciphers;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
#endif #endif
} ngx_http_proxy_loc_conf_t; } ngx_http_proxy_loc_conf_t;
@ -567,6 +570,34 @@ static ngx_command_t ngx_http_proxy_commands[] = {
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name),
NULL }, NULL },
{ ngx_string("proxy_ssl_verify"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
NULL },
{ ngx_string("proxy_ssl_verify_depth"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_num_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth),
NULL },
{ ngx_string("proxy_ssl_trusted_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate),
NULL },
{ ngx_string("proxy_ssl_crl"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
NULL },
#endif #endif
ngx_null_command ngx_null_command
@ -2418,6 +2449,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
* conf->ssl = 0; * conf->ssl = 0;
* conf->ssl_protocols = 0; * conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL }; * conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
*/ */
conf->upstream.store = NGX_CONF_UNSET; conf->upstream.store = NGX_CONF_UNSET;
@ -2460,6 +2493,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
#if (NGX_HTTP_SSL) #if (NGX_HTTP_SSL)
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
conf->upstream.ssl_server_name = NGX_CONF_UNSET; conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
#endif #endif
/* "proxy_cyclic_temp_file" is disabled */ /* "proxy_cyclic_temp_file" is disabled */
@ -2749,6 +2784,13 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_value(conf->upstream.ssl_server_name, ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0); prev->upstream.ssl_server_name, 0);
ngx_conf_merge_value(conf->upstream.ssl_verify,
prev->upstream.ssl_verify, 0);
ngx_conf_merge_uint_value(conf->ssl_verify_depth,
prev->ssl_verify_depth, 1);
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
@ -3818,6 +3860,26 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
return NGX_ERROR; return NGX_ERROR;
} }
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
!= NGX_OK)
{
return NGX_ERROR;
}
if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {
return NGX_ERROR;
}
}
return NGX_OK; return NGX_OK;
} }

27
src/http/ngx_http_upstream.c
View File

@ -1364,7 +1364,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
c->sendfile = 0; c->sendfile = 0;
u->output.sendfile = 0; u->output.sendfile = 0;
if (u->conf->ssl_server_name) { if (u->conf->ssl_server_name || u->conf->ssl_verify) {
if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u, ngx_http_upstream_finalize_request(r, u,
NGX_HTTP_INTERNAL_SERVER_ERROR); NGX_HTTP_INTERNAL_SERVER_ERROR);
@ -1396,6 +1396,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
static void static void
ngx_http_upstream_ssl_handshake(ngx_connection_t *c) ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
{ {
long rc;
ngx_http_request_t *r; ngx_http_request_t *r;
ngx_http_upstream_t *u; ngx_http_upstream_t *u;
@ -1404,6 +1405,24 @@ ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
if (c->ssl->handshaked) { if (c->ssl->handshaked) {
if (u->conf->ssl_verify) {
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"upstream SSL certificate verify error: (%l:%s)",
rc, X509_verify_cert_error_string(rc));
goto failed;
}
if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"upstream SSL certificate does not match \"%V\"",
&u->ssl_name);
goto failed;
}
}
if (u->conf->ssl_session_reuse) { if (u->conf->ssl_session_reuse) {
u->peer.save_session(&u->peer, u->peer.data); u->peer.save_session(&u->peer, u->peer.data);
} }
@ -1419,6 +1438,8 @@ ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
return; return;
} }
failed:
c = r->connection; c = r->connection;
ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
@ -1469,6 +1490,10 @@ ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
name.len = p - name.data; name.len = p - name.data;
} }
if (!u->conf->ssl_server_name) {
goto done;
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
/* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */

1
src/http/ngx_http_upstream.h
View File

@ -198,6 +198,7 @@ typedef struct {
ngx_http_complex_value_t *ssl_name; ngx_http_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name; ngx_flag_t ssl_server_name;
ngx_flag_t ssl_verify;
#endif #endif
ngx_str_t module; ngx_str_t module;