From 99daa8e5d4e83174b9a8c0360d4e52a8a9dac4c5 Mon Sep 17 00:00:00 2001 From: Igor Sysoev Date: Mon, 26 Oct 2009 16:53:34 +0000 Subject: merge r2995, r2996, r2997, r2998, r3003, r3141, r3210, r3211, r3232: various SSL fixes and features: *) $ssl_client_verify *) "ssl_verify_client ask" was changed to "ssl_verify_client optional" *) ssl_crl *) delete OpenSSL pre-0.9.7 compatibility: the sources were not actually compatible with OpenSSL 0.9.6 since ssl_session_cache introduction *) fix memory corruption in $ssl_client_cert *) issue SNI warning instead of failure: this is too common case *) use ngx_log_error(), since OpenSSL does not set an error on the failure *) add SNI support in -V output --- src/http/ngx_http_request.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'src/http/ngx_http_request.c') diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 8206666a4..ca6530045 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1520,7 +1520,7 @@ ngx_http_process_request(ngx_http_request_t *r) sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); - if (sscf->verify == 1) { + if (sscf->verify) { rc = SSL_get_verify_result(c->ssl->connection); if (rc != X509_V_OK) { @@ -1535,20 +1535,22 @@ ngx_http_process_request(ngx_http_request_t *r) return; } - cert = SSL_get_peer_certificate(c->ssl->connection); + if (sscf->verify == 1) { + cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "client sent no required SSL certificate"); + if (cert == NULL) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent no required SSL certificate"); - ngx_ssl_remove_cached_session(sscf->ssl.ctx, + ngx_ssl_remove_cached_session(sscf->ssl.ctx, (SSL_get0_session(c->ssl->connection))); - ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); - return; - } + ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT); + return; + } - X509_free(cert); + X509_free(cert); + } } } -- cgit