Hi,
first I would like to thank for the proxy ssl verification that landed
in nginx 1.7.
Regarding that, there is one slight problem Ive found, when creating a
proxy, that dynamically accesses different hosts.
The configuration is limited to setting a certificate and does not use
CA path at all.
Openssl has compiled in default where is default CA path and on some
distributions it points to system trusted CA store.
What I propose is a configuration flag, to set
SSL_CTX_set_default_verify_paths
.
My not polished patch is:
— bundle/nginx-1.7.4/src/event/ngx_event_openssl.c.orig 2014-09-10
23:33:09.000000000 +0200
+++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c 2014-09-10
23:33:49.000000000 +0200
@@ -498,6 +498,7 @@
SSL_CTX_set_verify_depth(ssl->ctx, depth);
if (cert->len == 0) {
-
}SSL_CTX_set_default_verify_paths(ssl->ctx); return NGX_OK;
When there is no certificate, load defaults. That certainly has some
drawbacks. So I would propose something like
proxy_ssl_trusted_certificate system;
.
What do you think? It could increase the memory load, but it is really
convenient for general ssl verification.
Other proposed solution (
Redirecting to Google Groups ) was
to export system certificates, and load them from one file.
That does not work for me, as I need to make reusable nginx
configuration, that can be deployed on many platforms and it would be
hard to instruct people how to do it.
Best,
Michal Cichra