# HG changeset patch # User Maxim Dounin # Date 1480965802 -10800 # Node ID 379139020d369ab231be23a8c01cd8d904d43a7f # Parent 94586180fb412cdbdf2d7fc407024bed25b46fef SSL: $ssl_client_verify extended with a failure reason. Now in case of a verification failure $ssl_client_verify contains "FAILED:", similar to Apache's SSL_CLIENT_VERIFY, e.g., "FAILED:certificate has expired". Detailed description of possible errors can be found in the verify(1) manual page as provided by OpenSSL. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -3717,24 +3717,34 @@ ngx_ssl_get_fingerprint(ngx_connection_t ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { - X509 *cert; - - if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { - ngx_str_set(s, "FAILED"); - return NGX_OK; - } + X509 *cert; + long rc; + const char *str; cert = SSL_get_peer_certificate(c->ssl->connection); - - if (cert) { - ngx_str_set(s, "SUCCESS"); - - } else { + if (cert == NULL) { ngx_str_set(s, "NONE"); + return NGX_OK; } X509_free(cert); + rc = SSL_get_verify_result(c->ssl->connection); + + if (rc == X509_V_OK) { + ngx_str_set(s, "SUCCESS"); + return NGX_OK; + } + + str = X509_verify_cert_error_string(rc); + + s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); + if (s->data == NULL) { + return NGX_ERROR; + } + + s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; + return NGX_OK; }