|
|
@ -1218,10 +1218,22 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn) |
|
|
|
c = conn->data; |
|
|
|
c = conn->data; |
|
|
|
|
|
|
|
|
|
|
|
if (conn->ssl->handshaked) { |
|
|
|
if (conn->ssl->handshaked) { |
|
|
|
|
|
|
|
// verify remote certificate
|
|
|
|
|
|
|
|
X509 *cert = SSL_get_peer_certificate(conn->ssl->connection); |
|
|
|
|
|
|
|
long verified = SSL_get_verify_result(conn->ssl->connection); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (cert && verified == X509_V_OK) { // everything fine
|
|
|
|
conn->read->handler = &ngx_http_auth_ldap_read_handler; |
|
|
|
conn->read->handler = &ngx_http_auth_ldap_read_handler; |
|
|
|
ngx_http_auth_ldap_restore_handlers(conn); |
|
|
|
ngx_http_auth_ldap_restore_handlers(conn); |
|
|
|
ngx_http_auth_ldap_connection_established(c); |
|
|
|
ngx_http_auth_ldap_connection_established(c); |
|
|
|
return; |
|
|
|
return; |
|
|
|
|
|
|
|
} else { // smells fishy
|
|
|
|
|
|
|
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, |
|
|
|
|
|
|
|
"http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s", |
|
|
|
|
|
|
|
verified, X509_verify_cert_error_string(verified)); |
|
|
|
|
|
|
|
ngx_http_auth_ldap_close_connection(c); |
|
|
|
|
|
|
|
return; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed"); |
|
|
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed"); |
|
|
@ -1242,14 +1254,23 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
c->log->action = "SSL handshaking to LDAP server"; |
|
|
|
c->log->action = "SSL handshaking to LDAP server"; |
|
|
|
|
|
|
|
ngx_connection_t *transport = c->conn.connection; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, "file", "dir");
|
|
|
|
|
|
|
|
int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx); |
|
|
|
|
|
|
|
if (setcode != 1) { |
|
|
|
|
|
|
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, |
|
|
|
|
|
|
|
"http_auth_ldap: SSL initialization failed. Could not set CA certificate location. " |
|
|
|
|
|
|
|
"Error code: %lu", ERR_get_error()); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
rc = ngx_ssl_handshake(c->conn.connection); |
|
|
|
rc = ngx_ssl_handshake(transport); |
|
|
|
if (rc == NGX_AGAIN) { |
|
|
|
if (rc == NGX_AGAIN) { |
|
|
|
c->conn.connection->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler; |
|
|
|
transport->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler; |
|
|
|
return; |
|
|
|
return; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
ngx_http_auth_ldap_ssl_handshake_handler(c->conn.connection); |
|
|
|
ngx_http_auth_ldap_ssl_handshake_handler(transport); |
|
|
|
return; |
|
|
|
return; |
|
|
|
} |
|
|
|
} |
|
|
|
#endif |
|
|
|
#endif |
|
|
|