From 919f53632940cfa9b9f24fdffeaf1f3d5b4fc700 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Mon, 5 Dec 2016 22:23:22 +0300 Subject: SSL: $ssl_client_verify extended with a failure reason. Now in case of a verification failure $ssl_client_verify contains "FAILED:", similar to Apache's SSL_CLIENT_VERIFY, e.g., "FAILED:certificate has expired". Detailed description of possible errors can be found in the verify(1) manual page as provided by OpenSSL. --- src/event/ngx_event_openssl.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 7fc25ca54..cb0dd2e4b 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -3717,23 +3717,33 @@ ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { - X509 *cert; + X509 *cert; + long rc; + const char *str; - if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { - ngx_str_set(s, "FAILED"); + cert = SSL_get_peer_certificate(c->ssl->connection); + if (cert == NULL) { + ngx_str_set(s, "NONE"); return NGX_OK; } - cert = SSL_get_peer_certificate(c->ssl->connection); + X509_free(cert); + + rc = SSL_get_verify_result(c->ssl->connection); - if (cert) { + if (rc == X509_V_OK) { ngx_str_set(s, "SUCCESS"); + return NGX_OK; + } - } else { - ngx_str_set(s, "NONE"); + str = X509_verify_cert_error_string(rc); + + s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); + if (s->data == NULL) { + return NGX_ERROR; } - X509_free(cert); + s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; return NGX_OK; } -- cgit