Verification of proxied HTTPS server certificate

classic Classic list List threaded Threaded
2 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

Verification of proxied HTTPS server certificate

xrd
Hi,

According to the documentation
(http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify)
the directive "proxy_ssl_verify" is used to enable or disabled the
verification of the proxied HTTPS server certificate. But it doesn't talk
about what all different types of validations (like Host Name Verification,
Certificate Expiry etc) it does.

Could someone list out the validations Nginx performs on the obtained server
certificate from the upstream server when the above said directive is set to
"on"?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285683,285683#msg-285683

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Verification of proxied HTTPS server certificate

Maxim Dounin
Hello!

On Tue, Sep 24, 2019 at 06:35:10AM -0400, shivramg94 wrote:

> According to the documentation
> (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify)
> the directive "proxy_ssl_verify" is used to enable or disabled the
> verification of the proxied HTTPS server certificate. But it doesn't talk
> about what all different types of validations (like Host Name Verification,
> Certificate Expiry etc) it does.
>
> Could someone list out the validations Nginx performs on the obtained server
> certificate from the upstream server when the above said directive is set to
> "on"?

It verifies that the certificate is valid, signed by a trusted CA,
and matches the host name as used in the proxy_pass directive.  
Much like it normally happens with any HTTPS client as per RFC
2818.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx