From de3adad8073d20404ce2e2b54f73aa9c72ce4e88 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Fri, 27 Feb 2015 16:28:31 +0300 Subject: [PATCH] Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client. Previously, the Auth-SSL-Verify header with the "NONE" value was always passed to the auth_http script if verification of client certificates is disabled. --- src/mail/ngx_mail_auth_http_module.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c index b8b43eb2b..e4fbb0d26 100644 --- a/src/mail/ngx_mail_auth_http_module.c +++ b/src/mail/ngx_mail_auth_http_module.c @@ -1155,6 +1155,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, ngx_str_t verify, subject, issuer, serial, fingerprint, raw_cert, cert; ngx_connection_t *c; + ngx_mail_ssl_conf_t *sslcf; #endif ngx_mail_core_srv_conf_t *cscf; @@ -1169,8 +1170,9 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, #if (NGX_MAIL_SSL) c = s->connection; + sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); - if (c->ssl) { + if (c->ssl && sslcf->verify) { /* certificate details */ @@ -1339,10 +1341,12 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF, sizeof("Auth-SSL: on" CRLF) - 1); - b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ", - sizeof("Auth-SSL-Verify: ") - 1); - b->last = ngx_copy(b->last, verify.data, verify.len); - *b->last++ = CR; *b->last++ = LF; + if (verify.len) { + b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ", + sizeof("Auth-SSL-Verify: ") - 1); + b->last = ngx_copy(b->last, verify.data, verify.len); + *b->last++ = CR; *b->last++ = LF; + } if (subject.len) { b->last = ngx_cpymem(b->last, "Auth-SSL-Subject: ",