diff --git a/docker/assets/nginx.conf b/docker/assets/nginx.conf
index 505836971e8e57121f9b9f1c3c3d75370e1ebff9..d5135ff6e23050c084a514364b0749bb786a6319 100644
--- a/docker/assets/nginx.conf
+++ b/docker/assets/nginx.conf
@@ -1,7 +1,6 @@
user build;
worker_processes 1;
-env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=/vomsdir;
error_log logs/error.log warn;
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index 6f657c164f98548f4afec9847b1c7d669fc35ec2..465fa968bc32980888f9c70433985bb7795665c3 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -38,16 +38,18 @@ using MaybeVomsAc = boost::optional<VomsAc>;
enum class EeDn { SUBJECT, ISSUER };
static ngx_int_t add_variables(ngx_conf_t* cf);
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl);
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*);
static ngx_http_module_t ctx = {
- add_variables, // preconfiguration
- NULL, // postconfiguration
- NULL, // create main configuration
- NULL, // init main configuration
- NULL, // create server configuration
- NULL, // merge server configuration
- NULL, // create location configuration
- NULL // merge location configuration
+ add_variables, // preconfiguration
+ NULL, // postconfiguration
+ NULL, // create main configuration
+ NULL, // init main configuration
+ NULL, // create server configuration
+ ngx_http_voms_merge_srv_conf, // merge server configuration
+ NULL, // create location configuration
+ NULL // merge location configuration
};
ngx_module_t ngx_http_voms_module = {
@@ -224,6 +226,36 @@ static ngx_int_t add_variables(ngx_conf_t* cf)
return NGX_OK;
}
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl)
+{
+ X509_STORE* store = SSL_CTX_get_cert_store(ssl->ctx);
+ if (store == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG,
+ ssl->log,
+ 0,
+ const_cast<char*>("SSL_CTX_get_cert_store() failed"));
+ return NGX_ERROR;
+ }
+
+ X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+ return NGX_OK;
+}
+
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*)
+{
+ auto conf = static_cast<ngx_http_ssl_srv_conf_t*>(
+ ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module));
+
+ if (conf->ssl.ctx != nullptr) {
+ if (ngx_ssl_allow_proxy_certs(&conf->ssl) != NGX_OK) {
+ return static_cast<char*>(NGX_CONF_ERROR);
+ }
+ }
+
+ return NGX_CONF_OK;
+}
+
// return the first AC, if present
static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
{
diff --git a/t/eec_cert.t b/t/eec_cert.t
index 63684913afff154c87939d4c7b1291523471f290..12c1179ab4c75747724065ac72b426344b413ea1 100644
--- a/t/eec_cert.t
+++ b/t/eec_cert.t
@@ -6,7 +6,6 @@ __DATA__
=== TEST 1: rfc proxy certificate, no AC
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/eec_subject.t b/t/eec_subject.t
index a1e316ee3f340d587a09451cbb5ff8c2cdc2d376..65980d0f65d4017c4c4373285cd53c87e0985109 100644
--- a/t/eec_subject.t
+++ b/t/eec_subject.t
@@ -6,7 +6,6 @@ __DATA__
=== TEST 1: rfc proxy certificate, no AC
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -40,7 +39,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 2: standard x.509 certificate
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -78,7 +76,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 3: three delegations proxy
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -113,7 +110,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 4: three delegations proxy + CA cert
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/encoding.t b/t/encoding.t
index c7663819d29d7084cb5b85389412da1978378a52..e3685f499fca4249648363610fe874ae59884ce3 100644
--- a/t/encoding.t
+++ b/t/encoding.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: valid AC, verification of VOMS generic attributes encoding
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/expired.t b/t/expired.t
index f3ac305ef730c139d7e03eff4033ac919146e7c2..517a0105892df82384fbbd4b902293674352b129 100644
--- a/t/expired.t
+++ b/t/expired.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, expired client certificate
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
--- http_config
server {
error_log logs/error.log debug;
diff --git a/t/expired_ac.t b/t/expired_ac.t
index 348cb1f88bcbae1680b4701b396b579aaeedd3e1..f1ae64f00d701014cb8a40b991e9c11a443e8ffe 100644
--- a/t/expired_ac.t
+++ b/t/expired_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/no_ac.t b/t/no_ac.t
index 677673d827543ccca8eb9b63f64fd69520b63373..27080abda790389509db9f534b13ef5fee94f5df 100644
--- a/t/no_ac.t
+++ b/t/no_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with no VOMS attributes
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/no_ssl.t b/t/no_ssl.t
index 1ae8c64de3b0198ffafe3e59596d32c91ba939d4..ea3fea82ba08b7f38694671798c69ab5b26fa0c0 100644
--- a/t/no_ssl.t
+++ b/t/no_ssl.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: HTTP connection, no SSL
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/no_ta.t b/t/no_ta.t
index 441430a6647431598bc3a08fd9892e5b997b526d..28e5da3186bc69ee216696e534309ce79cad9725 100644
--- a/t/no_ta.t
+++ b/t/no_ta.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: Valid proxy, wrong client trust-anchor
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/ssl_no_client_authn.t b/t/ssl_no_client_authn.t
index d30f87fa79e5bd465c9f8c0acf66bbf7676b1c50..f7465d0298d05a07a5e7b1ac5e05bf07f1943e83 100644
--- a/t/ssl_no_client_authn.t
+++ b/t/ssl_no_client_authn.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: HTTPS with no X.509 client authentication
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/untrusted_ac.t b/t/untrusted_ac.t
index f7a97b31ddaf8b08fa7e0ec9a1a4a9d7d5b5005e..4aec7b185d6250c5647efcea61e79b15627af921 100644
--- a/t/untrusted_ac.t
+++ b/t/untrusted_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, untrusted AC signature LSC missing
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -41,7 +40,6 @@ Cannot verify AC signature
=== TEST 2: Valid proxy, VOMS trust-anchor missing
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t;
--- http_config
diff --git a/t/valid_ac.t b/t/valid_ac.t
index 60aceafa76aa2d76c9c6819c14d42a2e13f9f424..5241d3f7c22dfffd025b5df49d2adab740ffcf13 100644
--- a/t/valid_ac.t
+++ b/t/valid_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: valid AC, verification of valid VOMS attributes extracted by ngx_http_voms_module
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config