[PATCH 0 of 3] SSL certificate verification context checks
Maxim Dounin
mdounin at mdounin.ru
Sun Mar 9 00:27:39 UTC 2025
Hello!
The following patch series somewhat improves checking of the SSL context
where the client certificate was verified.
Notably:
- Session ID context now includes trusted certificates list, so a
session cannot be restored in a server block with different trusted
certificates list (even if it uses the same server certificate and
the same client CA certificates list).
- Reshaped HTTP level server name checks to better match existing certificate
verification checking code. As a side effect, now it is now allowed
to use different names at HTTP level as long as verification context
stays the same (that is, names within the same server block).
- Added a workaround to prevent incorrect session reuse in OpenSSL 1.1.1e
and above when using TLSv1.3, which allows session reuse with different
server names without any checks.
--
Maxim Dounin
More information about the nginx-devel
mailing list