[PATCH 2 of 2] Upstream: fixed SSL certificate password prompt in complex configs

Maxim Dounin mdounin at mdounin.ru
Sun Apr 13 02:16:48 UTC 2025

• Previous message (by thread): [PATCH 1 of 2] Upstream: fixed passwords usage for certificates with variables
• Next message (by thread): [PATCH] Tests: tests for proxy_ssl_password_file issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1744509743 -10800
# Sun Apr 13 05:02:23 2025 +0300
# Node ID 0a8083b7093e88a56b6b06d534b52c367728d005
# Parent d154c555af30dc07a5a5d9bffa559fb1be0da019
Upstream: fixed SSL certificate password prompt in complex configs.
Variables support in certificates introduced in 7833:3ab8e1e2f0f7 (1.21.0)
inadvertently broke password prompt for static SSL certificates, such
as in the following configuration:
 location / {
 proxy_ssl_certificate $foo.crt;
 proxy_ssl_certificate_key $foo.key;
 proxy_pass https://u;
 location /static/ {
 proxy_ssl_certificate static.crt;
 proxy_ssl_certificate_key static.key;
 proxy_pass https://u;
 }
 }
Fix is to restore the conf->ssl_passwords field as previously used for
initial password reading and configuration inheritance, and only use the
conf->upstream.ssl_passwords field for passwords preserved for run time
usage.
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -37,6 +37,7 @@ typedef struct {
 ngx_uint_t ssl_verify_depth;
 ngx_str_t ssl_trusted_certificate;
 ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
 ngx_array_t *ssl_conf_commands;
 #endif
 } ngx_http_grpc_loc_conf_t;
@@ -4383,7 +4384,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t
 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
 conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
 conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
 
@@ -4496,8 +4497,8 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t 
 prev->upstream.ssl_certificate, NULL);
 ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
 prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
 
 ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
 prev->ssl_conf_commands, NULL);
@@ -4853,15 +4854,15 @@ ngx_http_grpc_ssl_password_file(ngx_conf
 
 ngx_str_t *value;
 
- if (glcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (glcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
 return "is duplicate";
 }
 
 value = cf->args->elts;
 
- glcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (glcf->upstream.ssl_passwords == NULL) {
+ glcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (glcf->ssl_passwords == NULL) {
 return NGX_CONF_ERROR;
 }
 
@@ -4890,7 +4891,7 @@ ngx_http_grpc_merge_ssl(ngx_conf_t *cf, 
 && conf->ssl_ciphers.data == NULL
 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_verify == NGX_CONF_UNSET
 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
 && conf->ssl_trusted_certificate.data == NULL
@@ -4942,7 +4943,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
 || glcf->upstream.ssl_certificate_key->lengths))
 {
 glcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords);
 if (glcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -4987,7 +4988,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
 || glcf->upstream.ssl_certificate_key->lengths)
 {
 glcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords);
 if (glcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -4996,7 +4997,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
 if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
 &glcf->upstream.ssl_certificate->value,
 &glcf->upstream.ssl_certificate_key->value,
- glcf->upstream.ssl_passwords)
+ glcf->ssl_passwords)
 != NGX_OK)
 {
 return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -124,6 +124,7 @@ typedef struct {
 ngx_uint_t ssl_verify_depth;
 ngx_str_t ssl_trusted_certificate;
 ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
 ngx_array_t *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
@@ -3410,7 +3411,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
 conf->upstream.ssl_verify = NGX_CONF_UNSET;
 conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
 conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
@@ -3760,8 +3761,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
 prev->upstream.ssl_certificate, NULL);
 ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
 prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
 
 ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
 prev->ssl_conf_commands, NULL);
@@ -4872,15 +4873,15 @@ ngx_http_proxy_ssl_password_file(ngx_con
 
 ngx_str_t *value;
 
- if (plcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
 return "is duplicate";
 }
 
 value = cf->args->elts;
 
- plcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (plcf->upstream.ssl_passwords == NULL) {
+ plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (plcf->ssl_passwords == NULL) {
 return NGX_CONF_ERROR;
 }
 
@@ -4942,7 +4943,7 @@ ngx_http_proxy_merge_ssl(ngx_conf_t *cf,
 && conf->ssl_ciphers.data == NULL
 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_verify == NGX_CONF_UNSET
 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
 && conf->ssl_trusted_certificate.data == NULL
@@ -4994,7 +4995,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
 || plcf->upstream.ssl_certificate_key->lengths))
 {
 plcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords);
 if (plcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -5039,7 +5040,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
 || plcf->upstream.ssl_certificate_key->lengths)
 {
 plcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords);
 if (plcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -5048,7 +5049,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
 if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
 &plcf->upstream.ssl_certificate->value,
 &plcf->upstream.ssl_certificate_key->value,
- plcf->upstream.ssl_passwords)
+ plcf->ssl_passwords)
 != NGX_OK)
 {
 return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -54,6 +54,7 @@ typedef struct {
 ngx_uint_t ssl_verify_depth;
 ngx_str_t ssl_trusted_certificate;
 ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
 ngx_array_t *ssl_conf_commands;
 #endif
 } ngx_http_uwsgi_loc_conf_t;
@@ -1568,7 +1569,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_
 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
 conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
 conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
 
@@ -1901,8 +1902,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
 prev->upstream.ssl_certificate, NULL);
 ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
 prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
 
 ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
 prev->ssl_conf_commands, NULL);
@@ -2437,15 +2438,15 @@ ngx_http_uwsgi_ssl_password_file(ngx_con
 
 ngx_str_t *value;
 
- if (uwcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
 return "is duplicate";
 }
 
 value = cf->args->elts;
 
- uwcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (uwcf->upstream.ssl_passwords == NULL) {
+ uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (uwcf->ssl_passwords == NULL) {
 return NGX_CONF_ERROR;
 }
 
@@ -2474,7 +2475,7 @@ ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf,
 && conf->ssl_ciphers.data == NULL
 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
 && conf->upstream.ssl_verify == NGX_CONF_UNSET
 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
 && conf->ssl_trusted_certificate.data == NULL
@@ -2526,7 +2527,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
 || uwcf->upstream.ssl_certificate_key->lengths))
 {
 uwcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords);
 if (uwcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -2571,7 +2572,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
 || uwcf->upstream.ssl_certificate_key->lengths)
 {
 uwcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords);
 if (uwcf->upstream.ssl_passwords == NULL) {
 return NGX_ERROR;
 }
@@ -2580,7 +2581,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
 if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
 &uwcf->upstream.ssl_certificate->value,
 &uwcf->upstream.ssl_certificate_key->value,
- uwcf->upstream.ssl_passwords)
+ uwcf->ssl_passwords)
 != NGX_OK)
 {
 return NGX_ERROR;

---

• Previous message (by thread): [PATCH 1 of 2] Upstream: fixed passwords usage for certificates with variables
• Next message (by thread): [PATCH] Tests: tests for proxy_ssl_password_file issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the nginx-devel mailing list