mainnika/nginx-auth-ldap
1
0
Fork 0
mirror of https://github.com/mainnika/nginx-auth-ldap.git synced 2026-06-13 02:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Verify remote SSL certificate

Browse Source
This commit is contained in:
Victor Hahn
2015-09-28 22:13:26 +02:00
parent 7802d53f0a
commit 65522703ae
1 changed files with 36 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ngx_http_auth_ldap_module.c
+28 -7
View File
@@ -1218,10 +1218,22 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
c = conn->data; c = conn->data;
if (conn->ssl->handshaked) { if (conn->ssl->handshaked) {
conn->read->handler = &ngx_http_auth_ldap_read_handler; // verify remote certificate
ngx_http_auth_ldap_restore_handlers(conn); X509 *cert = SSL_get_peer_certificate(conn->ssl->connection);
ngx_http_auth_ldap_connection_established(c); long verified = SSL_get_verify_result(conn->ssl->connection);
return;
if (cert && verified == X509_V_OK) { // everything fine
conn->read->handler = &ngx_http_auth_ldap_read_handler;
ngx_http_auth_ldap_restore_handlers(conn);
ngx_http_auth_ldap_connection_established(c);
return;
} else { // smells fishy
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s",
verified, X509_verify_cert_error_string(verified));
ngx_http_auth_ldap_close_connection(c);
return;
}
} }
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed"); ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed");
@@ -1242,14 +1254,23 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
} }
c->log->action = "SSL handshaking to LDAP server"; c->log->action = "SSL handshaking to LDAP server";
ngx_connection_t *transport = c->conn.connection;
rc = ngx_ssl_handshake(c->conn.connection); //int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, "file", "dir");
int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
if (setcode != 1) {
ngx_log_error(NGX_LOG_ERR, c->log, 0,
"http_auth_ldap: SSL initialization failed. Could not set CA certificate location. "
"Error code: %lu", ERR_get_error());
}
rc = ngx_ssl_handshake(transport);
if (rc == NGX_AGAIN) { if (rc == NGX_AGAIN) {
c->conn.connection->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler; transport->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
return; return;
} }
ngx_http_auth_ldap_ssl_handshake_handler(c->conn.connection); ngx_http_auth_ldap_ssl_handshake_handler(transport);
return; return;
} }
#endif #endif