Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.c @ 6814:379139020d36

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: $ssl_client_verify extended with a failure reason. Now in case of a verification failure $ssl_client_verify contains "FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g., "FAILED:certificate has expired". Detailed description of possible errors can be found in the verify(1) manual page as provided by OpenSSL.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 05 Dec 2016 22:23:22 +0300
parents a7ec59df0c4d
children 2d15fff64e3c
comparison
equal deleted inserted replaced
6813:94586180fb41 6814:379139020d36
3715 3715
3716 3716
3717 ngx_int_t 3717 ngx_int_t
3718 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) 3718 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
3719 { 3719 {
3720 X509 *cert; 3720 X509 *cert;
3721 3721 long rc;
3722 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { 3722 const char *str;
3723 ngx_str_set(s, "FAILED"); 3723
3724 cert = SSL_get_peer_certificate(c->ssl->connection);
3725 if (cert == NULL) {
3726 ngx_str_set(s, "NONE");
3724 return NGX_OK; 3727 return NGX_OK;
3725 } 3728 }
3726 3729
3727 cert = SSL_get_peer_certificate(c->ssl->connection); 3730 X509_free(cert);
3728 3731
3729 if (cert) { 3732 rc = SSL_get_verify_result(c->ssl->connection);
3733
3734 if (rc == X509_V_OK) {
3730 ngx_str_set(s, "SUCCESS"); 3735 ngx_str_set(s, "SUCCESS");
3731 3736 return NGX_OK;
3732 } else { 3737 }
3733 ngx_str_set(s, "NONE"); 3738
3734 } 3739 str = X509_verify_cert_error_string(rc);
3735 3740
3736 X509_free(cert); 3741 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
3742 if (s->data == NULL) {
3743 return NGX_ERROR;
3744 }
3745
3746 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
3737 3747
3738 return NGX_OK; 3748 return NGX_OK;
3739 } 3749 }
3740 3750
3741 3751