Hi,
first I would like to thank for the proxy ssl verification that landed in nginx
1.7.
Regarding that, there is one slight problem I’ve found, when creating a proxy,
that dynamically accesses different hosts.
The configuration is limited to setting a certificate and does not use CA path
at all.
Openssl has compiled in default where is default CA path and on some
distributions it points to system trusted CA store.
What I propose is a configuration flag, to set
`SSL_CTX_set_default_verify_paths`.
My not polished patch is:
--- bundle/nginx-1.7.4/src/event/ngx_event_openssl.c.orig 2014-09-10
23:33:09.000000000 +0200
+++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c 2014-09-10
23:33:49.000000000 +0200
@@ -498,6 +498,7 @@
SSL_CTX_set_verify_depth(ssl->ctx, depth);
if (cert->len == 0) {
+ SSL_CTX_set_default_verify_paths(ssl->ctx);
return NGX_OK;
}
When there is no certificate, load defaults. That certainly has some drawbacks.
So I would propose something like `proxy_ssl_trusted_certificate system;`.
What do you think? It could increase the memory load, but it is really
convenient for general ssl verification.
Other proposed solution (
https://groups.google.com/forum/#!topic/openresty-en/SuqORBK9ys0 ) was to
export system certificates, and load them from one file.
That does not work for me, as I need to make reusable nginx configuration, that
can be deployed on many platforms and it would be hard to instruct people how
to do it.
Best,
Michal Cichra
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
