ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 


  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА












     АРХИВ :: nginx-ru
Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: аналог SSLVerifyClient 2



On Sun, Mar 09, 2008 at 04:54:46AM +0300, Alexander V. Inyukhin wrote:

> On Sun, Mar 09, 2008 at 03:55:17AM +0300, Alexander V. Inyukhin wrote:
> > Сейчас, если установлено ssl_verify_client on,
> > то браузер (firefox) успокаивается, получив однажды 400 (496),
> > и больше не предпринимает попыток запросить сертификат.
> 
> Вылечил запретом ssl cache.

Прилагаемый патч должен помочь.


-- 
Игорь Сысоев
http://sysoev.ru
Index: src/http/ngx_http_request.c
===================================================================
--- src/http/ngx_http_request.c (revision 1240)
+++ src/http/ngx_http_request.c (working copy)
@@ -1430,6 +1430,10 @@
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
+
+                ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+
                 ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
                 return;
             }
@@ -1439,6 +1443,10 @@
             {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client sent no required SSL certificate");
+
+                ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+
                 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT);
                 return;
             }
Index: src/event/ngx_event_openssl.c
===================================================================
--- src/event/ngx_event_openssl.c       (revision 1240)
+++ src/event/ngx_event_openssl.c       (working copy)
@@ -1552,6 +1552,17 @@
 }
 
 
+void
+ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
+{
+     if (SSL_CTX_remove_session(ssl, sess)) {
+         return;
+     }
+
+     ngx_ssl_remove_session(ssl, sess);
+}
+
+
 static void
 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
 {
Index: src/event/ngx_event_openssl.h
===================================================================
--- src/event/ngx_event_openssl.h       (revision 1240)
+++ src/event/ngx_event_openssl.h       (working copy)
@@ -105,6 +105,7 @@
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
     ngx_uint_t flags);
 
+void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
 #define ngx_ssl_get_session(c)      SSL_get1_session(c->ssl->connection)
 #define ngx_ssl_free_session        SSL_SESSION_free


 




Copyright © Lexa Software, 1996-2009.