mainnika
/
nginx-auth-ldap
mirror of https://github.com/mainnika/nginx-auth-ldap
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Verify remote SSL certificate

Browse Source
main
Victor Hahn 9 years ago
parent 7802d53f0a
commit 65522703ae
1 changed files with 36 additions and 15 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 51
      ngx_http_auth_ldap_module.c

51
ngx_http_auth_ldap_module.c
Unescape View File

@ -378,7 +378,7 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
return NGX_CONF_ERROR;
}
server->connections = i;
}
}
else CONF_MSEC_VALUE(cf,value,server,connect_timeout)
else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout)
else CONF_MSEC_VALUE(cf,value,server,bind_timeout)
@ -1025,7 +1025,7 @@ ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c)
c->rctx = NULL;
if (c->state != STATE_DISCONNECTED) {
c->state = STATE_DISCONNECTED;
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection scheduled for reconnection in %d ms", c->server->reconnect_timeout);
}
}
@ -1205,7 +1205,7 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", c->msgid);
c->state = STATE_INITIAL_BINDING;
ngx_add_timer(c->conn.connection->read, c->server->bind_timeout);
ngx_add_timer(c->conn.connection->read, c->server->bind_timeout);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: bind_timeout=%d", c->server->bind_timeout);
}
@ -1218,10 +1218,22 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
c = conn->data;
if (conn->ssl->handshaked) {
conn->read->handler = &ngx_http_auth_ldap_read_handler;
ngx_http_auth_ldap_restore_handlers(conn);
ngx_http_auth_ldap_connection_established(c);
return;
// verify remote certificate
X509 *cert = SSL_get_peer_certificate(conn->ssl->connection);
long verified = SSL_get_verify_result(conn->ssl->connection);
if (cert && verified == X509_V_OK) { // everything fine
conn->read->handler = &ngx_http_auth_ldap_read_handler;
ngx_http_auth_ldap_restore_handlers(conn);
ngx_http_auth_ldap_connection_established(c);
return;
} else { // smells fishy
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s",
verified, X509_verify_cert_error_string(verified));
ngx_http_auth_ldap_close_connection(c);
return;
}
}
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed");
@ -1242,14 +1254,23 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
}
c->log->action = "SSL handshaking to LDAP server";
ngx_connection_t *transport = c->conn.connection;
rc = ngx_ssl_handshake(c->conn.connection);
//int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, "file", "dir");
int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
if (setcode != 1) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: SSL initialization failed. Could not set CA certificate location. "
"Error code: %lu", ERR_get_error());
}
rc = ngx_ssl_handshake(transport);
if (rc == NGX_AGAIN) {
c->conn.connection->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
transport->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
return;
}
ngx_http_auth_ldap_ssl_handshake_handler(c->conn.connection);
ngx_http_auth_ldap_ssl_handshake_handler(transport);
return;
}
#endif
@ -1450,7 +1471,7 @@ ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c)
if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) {
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Unable to connect to LDAP server \"%V\".",
&addr->name);
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
return;
}
@ -1461,7 +1482,7 @@ ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c)
#endif
conn->write->handler = ngx_http_auth_ldap_connect_handler;
conn->read->handler = ngx_http_auth_ldap_read_handler;
ngx_add_timer(conn->read, c->server->connect_timeout);
ngx_add_timer(conn->read, c->server->connect_timeout);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: connect_timeout=%d.", c->server->connect_timeout);
@ -1631,7 +1652,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
/*
* If we are not starting up a request (ctx->phase != PHASE_START) and we actually already
* sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we
* sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we
* ask to be called again at a later time when we hopefully have received a reply.
*
* It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) -
@ -1651,7 +1672,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index];
ctx->outcome = OUTCOME_UNCERTAIN;
ngx_add_timer(r->connection->write, ctx->server->request_timeout);
ngx_add_timer(r->connection->write, ctx->server->request_timeout);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: request_timeout=%d",ctx->server->request_timeout);
@ -2013,7 +2034,7 @@ ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c
ctx->c->msgid);
ctx->c->state = STATE_BINDING;
ctx->iteration++;
return NGX_AGAIN;
}

Write Preview
Loading…
Cancel
Save