Skip to content

Instantly share code, notes, and snippets.


mikz/system-ssl.patch Secret

Last active Apr 23, 2016
What would you like to do?
diff --git bundle/nginx-1.7.4/src/event/ngx_event_openssl.c bundle/nginx-1.7.4/src/event/ngx_event_openssl.c
index bb82143..9b76ffa 100644
--- bundle/nginx-1.7.4/src/event/ngx_event_openssl.c
+++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c
@@ -498,6 +498,7 @@ ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
SSL_CTX_set_verify_depth(ssl->ctx, depth);
if (cert->len == 0) {
+ SSL_CTX_set_default_verify_paths(ssl->ctx);
return NGX_OK;
diff --git bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c
index 1c57d90..2352835 100644
--- bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c
+++ bundle/ngx_lua-0.9.12/src/ngx_http_lua_module.c
@@ -801,7 +801,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
- prev->ssl_verify_depth, 1);
+ prev->ssl_verify_depth, -1);
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
@@ -884,8 +884,6 @@ ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf)
return NGX_ERROR;
- if (llcf->ssl_trusted_certificate.len) {
#if defined(nginx_version) && nginx_version >= 1003007
if (ngx_ssl_trusted_certificate(cf, llcf->ssl,
@@ -904,7 +902,6 @@ ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf)
return NGX_ERROR;
- }
dd("ssl crl: %.*s", (int) llcf->ssl_crl.len, llcf->;

This comment has been minimized.

Copy link

@unleashed unleashed commented Sep 16, 2014

Nice. Although I miss a message explaining why is it that these changes are needed (and what about making them configurable? is it really the case that this should be configurable?)
Also, I guess you would need to submit one patch for nginx and another one for nginx-lua, no?


This comment has been minimized.

Copy link
Owner Author

@mikz mikz commented Sep 19, 2014

Yes, one is for nginx and one for ngx_lua.

It should be configurable, because some people might not want to trust all system certificates.

These changes are needed because nginx allows only setting one certificate file as trusted.
That way if system adds more certificates, you have to regenerate or generate new one when installing.
We want to deploy it on premise, so it would be quite hard for us to do it reliably. And I see no reason to do so when openssl provides infrastructure to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.