-
-
Save mikz/4dae10a0ef94de7c8139 to your computer and use it in GitHub Desktop.
Make Openresty look up system certificates - https://groups.google.com/forum/#!searchin/openresty-en/ssl/openresty-en/SuqORBK9ys0/Yz0ypcRyV4UJ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git bundle/nginx-1.7.4/src/event/ngx_event_openssl.c bundle/nginx-1.7.4/src/event/ngx_event_openssl.c | |
| index bb82143..9b76ffa 100644 | |
| --- bundle/nginx-1.7.4/src/event/ngx_event_openssl.c | |
| +++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c | |
| @@ -498,6 +498,7 @@ ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, | |
| SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
| if (cert->len == 0) { | |
| + SSL_CTX_set_default_verify_paths(ssl->ctx); | |
| return NGX_OK; | |
| } | |
| diff --git bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c | |
| index 1c57d90..2352835 100644 | |
| --- bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c | |
| +++ bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c | |
| @@ -801,7 +801,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
| "DEFAULT"); | |
| ngx_conf_merge_uint_value(conf->ssl_verify_depth, | |
| - prev->ssl_verify_depth, 1); | |
| + prev->ssl_verify_depth, -1); | |
| ngx_conf_merge_str_value(conf->ssl_trusted_certificate, | |
| prev->ssl_trusted_certificate, ""); | |
| ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); | |
| @@ -884,8 +884,6 @@ ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf) | |
| return NGX_ERROR; | |
| } | |
| - if (llcf->ssl_trusted_certificate.len) { | |
| - | |
| #if defined(nginx_version) && nginx_version >= 1003007 | |
| if (ngx_ssl_trusted_certificate(cf, llcf->ssl, | |
| @@ -904,7 +902,6 @@ ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf) | |
| return NGX_ERROR; | |
| #endif | |
| - } | |
| dd("ssl crl: %.*s", (int) llcf->ssl_crl.len, llcf->ssl_crl.data); | |
Yes, one is for nginx and one for ngx_lua.
It should be configurable, because some people might not want to trust all system certificates.
These changes are needed because nginx allows only setting one certificate file as trusted.
That way if system adds more certificates, you have to regenerate or generate new one when installing.
We want to deploy it on premise, so it would be quite hard for us to do it reliably. And I see no reason to do so when openssl provides infrastructure to do so.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice. Although I miss a message explaining why is it that these changes are needed (and what about making them configurable? is it really the case that this should be configurable?)
Also, I guess you would need to submit one patch for nginx and another one for nginx-lua, no?