mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSL: $ssl_client_verify extended with a failure reason.

Browse Source 
Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.
This commit is contained in:
Maxim Dounin 2016-12-05 22:23:22 +03:00
parent 27bcceb24b
commit 919f536329
1 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/event/ngx_event_openssl.c
View File

@ -3717,23 +3717,33 @@ ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
ngx_int_t ngx_int_t
ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{ {
X509 *cert; X509 *cert;
long rc;
const char *str;
if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { cert = SSL_get_peer_certificate(c->ssl->connection);
ngx_str_set(s, "FAILED"); if (cert == NULL) {
ngx_str_set(s, "NONE");
return NGX_OK; return NGX_OK;
} }
cert = SSL_get_peer_certificate(c->ssl->connection); X509_free(cert);
if (cert) { rc = SSL_get_verify_result(c->ssl->connection);
if (rc == X509_V_OK) {
ngx_str_set(s, "SUCCESS"); ngx_str_set(s, "SUCCESS");
return NGX_OK;
} else {
ngx_str_set(s, "NONE");
} }
X509_free(cert); str = X509_verify_cert_error_string(rc);
s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
if (s->data == NULL) {
return NGX_ERROR;
}
s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
return NGX_OK; return NGX_OK;
} }