Mercurial > hg > nginx
comparison src/http/ngx_http_upstream.c @ 5661:060c2e692b96
Upstream: proxy_ssl_verify and friends.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 18 Apr 2014 20:13:30 +0400 |
parents | 7022564a9e0e |
children | 16405e02e612 |
comparison
equal
deleted
inserted
replaced
5660:7022564a9e0e | 5661:060c2e692b96 |
---|---|
1362 } | 1362 } |
1363 | 1363 |
1364 c->sendfile = 0; | 1364 c->sendfile = 0; |
1365 u->output.sendfile = 0; | 1365 u->output.sendfile = 0; |
1366 | 1366 |
1367 if (u->conf->ssl_server_name) { | 1367 if (u->conf->ssl_server_name || u->conf->ssl_verify) { |
1368 if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { | 1368 if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { |
1369 ngx_http_upstream_finalize_request(r, u, | 1369 ngx_http_upstream_finalize_request(r, u, |
1370 NGX_HTTP_INTERNAL_SERVER_ERROR); | 1370 NGX_HTTP_INTERNAL_SERVER_ERROR); |
1371 return; | 1371 return; |
1372 } | 1372 } |
1394 | 1394 |
1395 | 1395 |
1396 static void | 1396 static void |
1397 ngx_http_upstream_ssl_handshake(ngx_connection_t *c) | 1397 ngx_http_upstream_ssl_handshake(ngx_connection_t *c) |
1398 { | 1398 { |
1399 long rc; | |
1399 ngx_http_request_t *r; | 1400 ngx_http_request_t *r; |
1400 ngx_http_upstream_t *u; | 1401 ngx_http_upstream_t *u; |
1401 | 1402 |
1402 r = c->data; | 1403 r = c->data; |
1403 u = r->upstream; | 1404 u = r->upstream; |
1404 | 1405 |
1405 if (c->ssl->handshaked) { | 1406 if (c->ssl->handshaked) { |
1406 | 1407 |
1408 if (u->conf->ssl_verify) { | |
1409 rc = SSL_get_verify_result(c->ssl->connection); | |
1410 | |
1411 if (rc != X509_V_OK) { | |
1412 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
1413 "upstream SSL certificate verify error: (%l:%s)", | |
1414 rc, X509_verify_cert_error_string(rc)); | |
1415 goto failed; | |
1416 } | |
1417 | |
1418 if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) { | |
1419 ngx_log_error(NGX_LOG_ERR, c->log, 0, | |
1420 "upstream SSL certificate does not match \"%V\"", | |
1421 &u->ssl_name); | |
1422 goto failed; | |
1423 } | |
1424 } | |
1425 | |
1407 if (u->conf->ssl_session_reuse) { | 1426 if (u->conf->ssl_session_reuse) { |
1408 u->peer.save_session(&u->peer, u->peer.data); | 1427 u->peer.save_session(&u->peer, u->peer.data); |
1409 } | 1428 } |
1410 | 1429 |
1411 c->write->handler = ngx_http_upstream_handler; | 1430 c->write->handler = ngx_http_upstream_handler; |
1416 ngx_http_upstream_send_request(r, u); | 1435 ngx_http_upstream_send_request(r, u); |
1417 | 1436 |
1418 ngx_http_run_posted_requests(c); | 1437 ngx_http_run_posted_requests(c); |
1419 return; | 1438 return; |
1420 } | 1439 } |
1440 | |
1441 failed: | |
1421 | 1442 |
1422 c = r->connection; | 1443 c = r->connection; |
1423 | 1444 |
1424 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); | 1445 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); |
1425 | 1446 |
1465 | 1486 |
1466 p = ngx_strlchr(p, last, ':'); | 1487 p = ngx_strlchr(p, last, ':'); |
1467 | 1488 |
1468 if (p != NULL) { | 1489 if (p != NULL) { |
1469 name.len = p - name.data; | 1490 name.len = p - name.data; |
1491 } | |
1492 | |
1493 if (!u->conf->ssl_server_name) { | |
1494 goto done; | |
1470 } | 1495 } |
1471 | 1496 |
1472 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 1497 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
1473 | 1498 |
1474 /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ | 1499 /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ |