Hello! On Sat, Sep 03, 2016 at 03:27:35PM -0700, Piotr Sikora wrote:
> Hey Maxim, > > > No, your are incorrect here. "In connection with" means that > > SSL_get_peer_certificate() should be used, but doesn't require it > > to be used always, in all cases. In particular, > > SSL_get_peer_certificate() is useless when SSL_get_verify_result() > > returns anything but X509_V_OK. > > Sigh, why do you insist on checking status of verification of client > certificate that wasn't sent in the first place? It's not me who insist on anything. It's you who insist that the current code is wrong. It's not. > > Because ngx_ssl_verify_host() is expected to be a generic > > function, and it can be used in situations different from talking > > to upstream servers. > > Like what, exactly? For example, it can be used to verify a host of auth_http server in mail, or OCSP responder - if we'll implement SSL there. > Also, for the record, are you fine with "client" in > ngx_ssl_verify_client() or is that also expected to be generic > function? Yes, more or less. I'm not fine with the ngx_ssl_verify_client() implementation as suggested in patches I've seen so far, as it seems too biased to the current use of client verification in http module, but it's a different question. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
