Mercurial > hg > nginx

changeset 6814:379139020d36

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: $ssl_client_verify extended with a failure reason. Now in case of a verification failure $ssl_client_verify contains "FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g., "FAILED:certificate has expired". Detailed description of possible errors can be found in the verify(1) manual page as provided by OpenSSL.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 05 Dec 2016 22:23:22 +0300
parents 94586180fb41
children 2d15fff64e3c
files src/event/ngx_event_openssl.c
diffstat 1 files changed, 21 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3717,24 +3717,34 @@ ngx_ssl_get_fingerprint(ngx_connection_t
 ngx_int_t
 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
-    X509  *cert;
-
-    if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
-        ngx_str_set(s, "FAILED");
-        return NGX_OK;
-    }
+    X509        *cert;
+    long         rc;
+    const char  *str;
 
     cert = SSL_get_peer_certificate(c->ssl->connection);
-
-    if (cert) {
-        ngx_str_set(s, "SUCCESS");
-
-    } else {
+    if (cert == NULL) {
         ngx_str_set(s, "NONE");
+        return NGX_OK;
     }
 
     X509_free(cert);
 
+    rc = SSL_get_verify_result(c->ssl->connection);
+
+    if (rc == X509_V_OK) {
+        ngx_str_set(s, "SUCCESS");
+        return NGX_OK;
+    }
+
+    str = X509_verify_cert_error_string(rc);
+
+    s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
+    if (s->data == NULL) {
+        return NGX_ERROR;
+    }
+
+    s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
+
     return NGX_OK;
 }