SSL: $ssl_client_verify extended with a failure reason.

Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 7fc25ca54541d9bcefabe533c874108063669f90..cb0dd2e4b468044a60c01d294f0f1d04ec1505bb 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3717,23 +3717,33 @@ ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 ngx_int_t
 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
-    X509  *cert;
+    X509        *cert;
+    long         rc;
+    const char  *str;
 
-    if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
-        ngx_str_set(s, "FAILED");
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        ngx_str_set(s, "NONE");
         return NGX_OK;
     }
 
-    cert = SSL_get_peer_certificate(c->ssl->connection);
+    X509_free(cert);
+
+    rc = SSL_get_verify_result(c->ssl->connection);
 
-    if (cert) {
+    if (rc == X509_V_OK) {
         ngx_str_set(s, "SUCCESS");
+        return NGX_OK;
+    }
 
-    } else {
-        ngx_str_set(s, "NONE");
+    str = X509_verify_cert_error_string(rc);
+
+    s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
+    if (s->data == NULL) {
+        return NGX_ERROR;
     }
 
-    X509_free(cert);
+    s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
 
     return NGX_OK;
 }