Hello! On Wed, Feb 10, 2016 at 04:25:06PM +0000, Richard Kearsley wrote:
> Hello > I'm trying to enable this option on a proxy_pass location: > > proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; > proxy_ssl_verify on; > proxy_ssl_verify_depth 9 > > /etc/ssl/certs/ca-certificates.crt is compiled by update-ca-certificates > (http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html) > > My understanding is that this option will prevent, for example, self-signed > certificates or certificates where the server name requested is different > than in the certificate, is that correct? Yes. > I have tried it and while it works for self-signed (returns 502) it still > lets a non matching server name through the proxy (properly signed > certificate, but wrong name) Please provide an example. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
