mirror of
https://github.com/mainnika/nginx-auth-ldap.git
synced 2026-07-03 20:22:33 +00:00
Verify remote SSL certificate
This commit is contained in:
+36
-15
@@ -378,7 +378,7 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
|
|||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
server->connections = i;
|
server->connections = i;
|
||||||
}
|
}
|
||||||
else CONF_MSEC_VALUE(cf,value,server,connect_timeout)
|
else CONF_MSEC_VALUE(cf,value,server,connect_timeout)
|
||||||
else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout)
|
else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout)
|
||||||
else CONF_MSEC_VALUE(cf,value,server,bind_timeout)
|
else CONF_MSEC_VALUE(cf,value,server,bind_timeout)
|
||||||
@@ -1025,7 +1025,7 @@ ngx_http_auth_ldap_close_connection(ngx_http_auth_ldap_connection_t *c)
|
|||||||
c->rctx = NULL;
|
c->rctx = NULL;
|
||||||
if (c->state != STATE_DISCONNECTED) {
|
if (c->state != STATE_DISCONNECTED) {
|
||||||
c->state = STATE_DISCONNECTED;
|
c->state = STATE_DISCONNECTED;
|
||||||
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
|
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection scheduled for reconnection in %d ms", c->server->reconnect_timeout);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: Connection scheduled for reconnection in %d ms", c->server->reconnect_timeout);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1205,7 +1205,7 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)
|
|||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", c->msgid);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: ldap_sasl_bind() -> msgid=%d", c->msgid);
|
||||||
|
|
||||||
c->state = STATE_INITIAL_BINDING;
|
c->state = STATE_INITIAL_BINDING;
|
||||||
ngx_add_timer(c->conn.connection->read, c->server->bind_timeout);
|
ngx_add_timer(c->conn.connection->read, c->server->bind_timeout);
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: bind_timeout=%d", c->server->bind_timeout);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: bind_timeout=%d", c->server->bind_timeout);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1218,10 +1218,22 @@ ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
|
|||||||
c = conn->data;
|
c = conn->data;
|
||||||
|
|
||||||
if (conn->ssl->handshaked) {
|
if (conn->ssl->handshaked) {
|
||||||
conn->read->handler = &ngx_http_auth_ldap_read_handler;
|
// verify remote certificate
|
||||||
ngx_http_auth_ldap_restore_handlers(conn);
|
X509 *cert = SSL_get_peer_certificate(conn->ssl->connection);
|
||||||
ngx_http_auth_ldap_connection_established(c);
|
long verified = SSL_get_verify_result(conn->ssl->connection);
|
||||||
return;
|
|
||||||
|
if (cert && verified == X509_V_OK) { // everything fine
|
||||||
|
conn->read->handler = &ngx_http_auth_ldap_read_handler;
|
||||||
|
ngx_http_auth_ldap_restore_handlers(conn);
|
||||||
|
ngx_http_auth_ldap_connection_established(c);
|
||||||
|
return;
|
||||||
|
} else { // smells fishy
|
||||||
|
ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||||
|
"http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s",
|
||||||
|
verified, X509_verify_cert_error_string(verified));
|
||||||
|
ngx_http_auth_ldap_close_connection(c);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed");
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed");
|
||||||
@@ -1242,14 +1254,23 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
|
|||||||
}
|
}
|
||||||
|
|
||||||
c->log->action = "SSL handshaking to LDAP server";
|
c->log->action = "SSL handshaking to LDAP server";
|
||||||
|
ngx_connection_t *transport = c->conn.connection;
|
||||||
|
|
||||||
rc = ngx_ssl_handshake(c->conn.connection);
|
//int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx, "file", "dir");
|
||||||
|
int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
|
||||||
|
if (setcode != 1) {
|
||||||
|
ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||||
|
"http_auth_ldap: SSL initialization failed. Could not set CA certificate location. "
|
||||||
|
"Error code: %lu", ERR_get_error());
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = ngx_ssl_handshake(transport);
|
||||||
if (rc == NGX_AGAIN) {
|
if (rc == NGX_AGAIN) {
|
||||||
c->conn.connection->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
|
transport->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
ngx_http_auth_ldap_ssl_handshake_handler(c->conn.connection);
|
ngx_http_auth_ldap_ssl_handshake_handler(transport);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -1450,7 +1471,7 @@ ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c)
|
|||||||
if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) {
|
if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) {
|
||||||
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Unable to connect to LDAP server \"%V\".",
|
ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: Unable to connect to LDAP server \"%V\".",
|
||||||
&addr->name);
|
&addr->name);
|
||||||
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
|
ngx_add_timer(&c->reconnect_event, c->server->reconnect_timeout);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1461,7 +1482,7 @@ ngx_http_auth_ldap_connect(ngx_http_auth_ldap_connection_t *c)
|
|||||||
#endif
|
#endif
|
||||||
conn->write->handler = ngx_http_auth_ldap_connect_handler;
|
conn->write->handler = ngx_http_auth_ldap_connect_handler;
|
||||||
conn->read->handler = ngx_http_auth_ldap_read_handler;
|
conn->read->handler = ngx_http_auth_ldap_read_handler;
|
||||||
ngx_add_timer(conn->read, c->server->connect_timeout);
|
ngx_add_timer(conn->read, c->server->connect_timeout);
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: connect_timeout=%d.", c->server->connect_timeout);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http_auth_ldap: connect_timeout=%d.", c->server->connect_timeout);
|
||||||
|
|
||||||
|
|
||||||
@@ -1631,7 +1652,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* If we are not starting up a request (ctx->phase != PHASE_START) and we actually already
|
* If we are not starting up a request (ctx->phase != PHASE_START) and we actually already
|
||||||
* sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we
|
* sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we
|
||||||
* ask to be called again at a later time when we hopefully have received a reply.
|
* ask to be called again at a later time when we hopefully have received a reply.
|
||||||
*
|
*
|
||||||
* It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) -
|
* It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) -
|
||||||
@@ -1651,7 +1672,7 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t
|
|||||||
ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index];
|
ctx->server = ((ngx_http_auth_ldap_server_t **) conf->servers->elts)[ctx->server_index];
|
||||||
ctx->outcome = OUTCOME_UNCERTAIN;
|
ctx->outcome = OUTCOME_UNCERTAIN;
|
||||||
|
|
||||||
ngx_add_timer(r->connection->write, ctx->server->request_timeout);
|
ngx_add_timer(r->connection->write, ctx->server->request_timeout);
|
||||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: request_timeout=%d",ctx->server->request_timeout);
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: request_timeout=%d",ctx->server->request_timeout);
|
||||||
|
|
||||||
|
|
||||||
@@ -2013,7 +2034,7 @@ ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c
|
|||||||
ctx->c->msgid);
|
ctx->c->msgid);
|
||||||
ctx->c->state = STATE_BINDING;
|
ctx->c->state = STATE_BINDING;
|
||||||
ctx->iteration++;
|
ctx->iteration++;
|
||||||
|
|
||||||
return NGX_AGAIN;
|
return NGX_AGAIN;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user