Mercurial > hg > nginx

comparison src/http/ngx_http_upstream.c @ 5661:060c2e692b96

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: proxy_ssl_verify and friends.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 18 Apr 2014 20:13:30 +0400
parents 7022564a9e0e
children 16405e02e612
comparison
equal deleted inserted replaced
5660:7022564a9e0e 5661:060c2e692b96
1362 } 1362 }
1363 1363
1364 c->sendfile = 0; 1364 c->sendfile = 0;
1365 u->output.sendfile = 0; 1365 u->output.sendfile = 0;
1366 1366
1367 if (u->conf->ssl_server_name) { 1367 if (u->conf->ssl_server_name || u->conf->ssl_verify) {
1368 if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { 1368 if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
1369 ngx_http_upstream_finalize_request(r, u, 1369 ngx_http_upstream_finalize_request(r, u,
1370 NGX_HTTP_INTERNAL_SERVER_ERROR); 1370 NGX_HTTP_INTERNAL_SERVER_ERROR);
1371 return; 1371 return;
1372 } 1372 }
1394 1394
1395 1395
1396 static void 1396 static void
1397 ngx_http_upstream_ssl_handshake(ngx_connection_t *c) 1397 ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
1398 { 1398 {
1399 long rc;
1399 ngx_http_request_t *r; 1400 ngx_http_request_t *r;
1400 ngx_http_upstream_t *u; 1401 ngx_http_upstream_t *u;
1401 1402
1402 r = c->data; 1403 r = c->data;
1403 u = r->upstream; 1404 u = r->upstream;
1404 1405
1405 if (c->ssl->handshaked) { 1406 if (c->ssl->handshaked) {
1406 1407
1408 if (u->conf->ssl_verify) {
1409 rc = SSL_get_verify_result(c->ssl->connection);
1410
1411 if (rc != X509_V_OK) {
1412 ngx_log_error(NGX_LOG_ERR, c->log, 0,
1413 "upstream SSL certificate verify error: (%l:%s)",
1414 rc, X509_verify_cert_error_string(rc));
1415 goto failed;
1416 }
1417
1418 if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) {
1419 ngx_log_error(NGX_LOG_ERR, c->log, 0,
1420 "upstream SSL certificate does not match \"%V\"",
1421 &u->ssl_name);
1422 goto failed;
1423 }
1424 }
1425
1407 if (u->conf->ssl_session_reuse) { 1426 if (u->conf->ssl_session_reuse) {
1408 u->peer.save_session(&u->peer, u->peer.data); 1427 u->peer.save_session(&u->peer, u->peer.data);
1409 } 1428 }
1410 1429
1411 c->write->handler = ngx_http_upstream_handler; 1430 c->write->handler = ngx_http_upstream_handler;
1416 ngx_http_upstream_send_request(r, u); 1435 ngx_http_upstream_send_request(r, u);
1417 1436
1418 ngx_http_run_posted_requests(c); 1437 ngx_http_run_posted_requests(c);
1419 return; 1438 return;
1420 } 1439 }
1440
1441 failed:
1421 1442
1422 c = r->connection; 1443 c = r->connection;
1423 1444
1424 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); 1445 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
1425 1446
1465 1486
1466 p = ngx_strlchr(p, last, ':'); 1487 p = ngx_strlchr(p, last, ':');
1467 1488
1468 if (p != NULL) { 1489 if (p != NULL) {
1469 name.len = p - name.data; 1490 name.len = p - name.data;
1491 }
1492
1493 if (!u->conf->ssl_server_name) {
1494 goto done;
1470 } 1495 }
1471 1496
1472 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 1497 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1473 1498
1474 /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ 1499 /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */