Welcome! Log In Create A New Profile

Advanced

Issue with SSL client certificate

October 21, 2009 12:10PM
I have a unusual case where, as a server, I need the client to provide a SSL cert, however, I am not interested in verifying it. In order to convince the client to provide a cert, the SSL_VERIFY_PEER param is passed to the context using SSL_CTX_set_verify function. This happens in the function ngx_ssl_client_certificate in "ngx_event_openssl.c" (configured by setting ssl_verify_client to 'ask')

......
ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
{
STACK_OF(X509_NAME) *list;

SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback);

SSL_CTX_set_verify_depth(ssl->ctx, depth);

if (cert->len == 0) {
return NGX_OK;
}
......

However, in order to get into that code, I have to first call ngx_http_ssl_merge_srv_conf in "ngx_http_ssl_module.c":

.....
if (conf->verify) {

if (conf->client_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
}

if (ngx_ssl_client_certificate(cf, &conf->ssl,
&conf->client_certificate,
conf->verify_depth)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
}
....

The problem is that if (conf->verify) is non-zero, but the (conf->client_certificate.len == 0), the function is aborted. This will happen when verify is turned on, but the ca_cert is not supplied in the configuration. I can get around this by commenting out that check, and the code works fine.

.....
if (conf->verify) {

/* if (conf->client_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
return NGX_CONF_ERROR;
}
*/
if (ngx_ssl_client_certificate(cf, &conf->ssl,
&conf->client_certificate,
conf->verify_depth)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
}
....

My question is, does nginx need to return a NGX_CONF_ERROR if the ssl_client_certificate (ie. ca_cert) is not provided? It already correct checks for an empty ca_cert in "ngx_ssl_client_certificate" and returns NGX_OK in that case.
SubjectAuthorPosted

Issue with SSL client certificate

scunninghamOctober 21, 2009 12:10PM

Re: Issue with SSL client certificate

Igor SysoevOctober 21, 2009 03:44PM

Re: Issue with SSL client certificate

scunninghamOctober 22, 2009 09:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 80
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready