Upstream: handling of certificates specified as an empty string.
Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level. This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index a64658f..617814e 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4906,8 +4906,9 @@
return NGX_ERROR;
}
- if (glcf->upstream.ssl_certificate) {
-
+ if (glcf->upstream.ssl_certificate
+ && glcf->upstream.ssl_certificate->value.len)
+ {
if (glcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"grpc_ssl_certificate_key\" is defined "
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index e8df555..bb93030 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4955,8 +4955,9 @@
return NGX_ERROR;
}
- if (plcf->upstream.ssl_certificate) {
-
+ if (plcf->upstream.ssl_certificate
+ && plcf->upstream.ssl_certificate->value.len)
+ {
if (plcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"proxy_ssl_certificate_key\" is defined "
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 5078ef7..1dcee1e 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2487,8 +2487,9 @@
return NGX_ERROR;
}
- if (uwcf->upstream.ssl_certificate) {
-
+ if (uwcf->upstream.ssl_certificate
+ && uwcf->upstream.ssl_certificate->value.len)
+ {
if (uwcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"uwsgi_ssl_certificate_key\" is defined "
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index ead3715..3ae822b 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1690,8 +1690,10 @@
}
}
- if (u->conf->ssl_certificate && (u->conf->ssl_certificate->lengths
- || u->conf->ssl_certificate_key->lengths))
+ if (u->conf->ssl_certificate
+ && u->conf->ssl_certificate->value.len
+ && (u->conf->ssl_certificate->lengths
+ || u->conf->ssl_certificate_key->lengths))
{
if (ngx_http_upstream_ssl_certificate(r, u, c) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 934e7d8..683f7d7 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -1069,8 +1069,10 @@
}
}
- if (pscf->ssl_certificate && (pscf->ssl_certificate->lengths
- || pscf->ssl_certificate_key->lengths))
+ if (pscf->ssl_certificate
+ && pscf->ssl_certificate->value.len
+ && (pscf->ssl_certificate->lengths
+ || pscf->ssl_certificate_key->lengths))
{
if (ngx_stream_proxy_ssl_certificate(s) != NGX_OK) {
ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
@@ -2225,8 +2227,9 @@
return NGX_ERROR;
}
- if (pscf->ssl_certificate) {
-
+ if (pscf->ssl_certificate
+ && pscf->ssl_certificate->value.len)
+ {
if (pscf->ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"proxy_ssl_certificate_key\" is defined "
