mainnika
/
nginx-auth-ldap
mirror of https://github.com/mainnika/nginx-auth-ldap
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Expose SSL certificate verification as config option

Browse Source
main
Victor Hahn 9 years ago
parent 65522703ae
commit 6389f806d5
1 changed files with 52 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 56
      ngx_http_auth_ldap_module.c

56
ngx_http_auth_ldap_module.c
Unescape View File

@ -62,6 +62,10 @@ typedef struct {
ngx_str_t group_attribute; ngx_str_t group_attribute;
ngx_flag_t group_attribute_dn; ngx_flag_t group_attribute_dn;
ngx_flag_t ssl_check_cert;
ngx_str_t ssl_ca_dir;
ngx_str_t ssl_ca_file;
ngx_array_t *require_group; /* array of ngx_http_complex_value_t */ ngx_array_t *require_group; /* array of ngx_http_complex_value_t */
ngx_array_t *require_user; /* array of ngx_http_complex_value_t */ ngx_array_t *require_user; /* array of ngx_http_complex_value_t */
ngx_flag_t require_valid_user; ngx_flag_t require_valid_user;
@ -378,6 +382,12 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
server->connections = i; server->connections = i;
} else if (ngx_strcmp(value[0].data, "ssl_check_cert") == 0 && ngx_strcmp(value[1].data, "on") == 0) {
server->ssl_check_cert = 1;
} else if (ngx_strcmp(value[0].data, "ssl_ca_dir") == 0) {
server->ssl_ca_dir = value[1];
} else if (ngx_strcmp(value[0].data, "ssl_ca_file") == 0) {
server->ssl_ca_file = value[1];
} }
else CONF_MSEC_VALUE(cf,value,server,connect_timeout) else CONF_MSEC_VALUE(cf,value,server,connect_timeout)
else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout) else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout)
@ -1211,7 +1221,7 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)
#if (NGX_OPENSSL) #if (NGX_OPENSSL)
static void static void
ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn) ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn, ngx_flag_t validate)
{ {
ngx_http_auth_ldap_connection_t *c; ngx_http_auth_ldap_connection_t *c;
@ -1222,7 +1232,7 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
X509 *cert = SSL_get_peer_certificate(conn->ssl->connection); X509 *cert = SSL_get_peer_certificate(conn->ssl->connection);
long verified = SSL_get_verify_result(conn->ssl->connection); long verified = SSL_get_verify_result(conn->ssl->connection);
if (cert && verified == X509_V_OK) { // everything fine if (!validate || (cert && verified == X509_V_OK) ) { // everything fine
conn->read->handler = &ngx_http_auth_ldap_read_handler; conn->read->handler = &ngx_http_auth_ldap_read_handler;
ngx_http_auth_ldap_restore_handlers(conn); ngx_http_auth_ldap_restore_handlers(conn);
ngx_http_auth_ldap_connection_established(c); ngx_http_auth_ldap_connection_established(c);
@ -1240,6 +1250,16 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
ngx_http_auth_ldap_close_connection(c); ngx_http_auth_ldap_close_connection(c);
} }
static void
ngx_http_auth_ldap_ssl_handshake_validating_handler(ngx_connection_t *conn)
{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 1); }
static void
ngx_http_auth_ldap_ssl_handshake_non_validating_handler(ngx_connection_t *conn)
{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 0); }
typedef void (*ngx_http_auth_ldap_ssl_callback)(ngx_connection_t *conn);
static void static void
ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c) ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
{ {
@ -1256,21 +1276,43 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
c->log->action = "SSL handshaking to LDAP server"; c->log->action = "SSL handshaking to LDAP server";
ngx_connection_t *transport = c->conn.connection; ngx_connection_t *transport = c->conn.connection;
//int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, "file", "dir"); ngx_http_auth_ldap_ssl_callback callback;
if (c->server->ssl_check_cert) {
// load CA certificates: custom ones if specified, default ones instead
if (c->server->ssl_ca_file.data || c->server->ssl_ca_dir.data) {
int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx,
(char*)(c->server->ssl_ca_file.data), (char*)(c->server->ssl_ca_dir.data));
if (setcode != 1) {
unsigned long error_code = ERR_get_error();
char *error_msg = ERR_error_string(error_code, NULL);
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: SSL initialization failed. Could not set custom CA certificate location. "
"Error: %lu, %s", error_code, error_msg);
}
}
int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx); int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
if (setcode != 1) { if (setcode != 1) {
unsigned long error_code = ERR_get_error();
char *error_msg = ERR_error_string(error_code, NULL);
ngx_log_error(NGX_LOG_ERR, c->log, 0, ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: SSL initialization failed. Could not set CA certificate location. " "http_auth_ldap: SSL initialization failed. Could not use default CA certificate location. "
"Error code: %lu", ERR_get_error()); "Error: %lu, %s", error_code, error_msg);
}
// use validating version of next function
callback = &ngx_http_auth_ldap_ssl_handshake_validating_handler;
} else {
// use non-validating version of next function
callback = &ngx_http_auth_ldap_ssl_handshake_non_validating_handler;
} }
rc = ngx_ssl_handshake(transport); rc = ngx_ssl_handshake(transport);
if (rc == NGX_AGAIN) { if (rc == NGX_AGAIN) {
transport->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler; transport->ssl->handler = callback;
return; return;
} }
ngx_http_auth_ldap_ssl_handshake_handler(transport); (*callback)(transport);
return; return;
} }
#endif #endif

Write Preview
Loading…
Cancel
Save