July 19, 2012 05:13PM

Proposed patch enables use-case scenario when Nginx asks Client for TLS certificate but does not make any attempt to validate it, passing it to the application instead. Application itself if then free to decide whether provided certificate is valid and is able to reject it with the same http status codes as Nginx does.

Same use-case is also referenced in "http://forum.nginx.org/read.php?2,15584" and is *critical* for implementing protocols like WebID (http://www.w3.org/wiki/WebID), which relies on custom TLS certificates, which are signed with keys which are unknown in advance.
With the patch, that can be accomplished by specifying "ssl_verify_client pass_only;" ("ssl_client_certificate" is *not* used in this case) and using "uwsgi_param X_CLIENT_CERT $ssl_client_raw_cert;" (or similar options for different backends).

Currently, Nginx supports "off", "on" and "optional" parameters to "ssl_verify_client" option, latter of which ("on" and "optional") require CA certificate (specified with "ssl_client_certificate" option) and perform mandatory check against it if client provides certificate.
"optional" parameter seem to allow client to skip providing the certificate, but still requires CA certificate and performs the check (if client provides the cert), returning http status 495 if validation against that CA fails.
So there is currently no way to require client certificate but perform it's validation in application (or on whatever backend) only, hence the patch.

Please consider merging the patch into nginx codebase, enabling aforementioned use-case in some other way, or at least commenting on why it might be wrong or unsuitable approach/feature (if only to block further proposals in the same vein).

Patch is made on top of current (as of 07.2012) svn trunk.
In case forum interface mangles the inline attachment, it can also be found on the following URL: https://raw.github.com/gist/3146701/

From 0ade221a2dbaeedfa5255875a89485166221a6f0 Mon Sep 17 00:00:00 2001
From: Mike Kazantsev <mk.fraggod@gmail.com>
Date: Fri, 20 Jul 2012 02:45:10 +0600
Subject: [PATCH] Add "pass_only" option to ssl_verify_client to enable
app-only validation

src/http/modules/ngx_http_ssl_module.c | 3 ++-
src/http/ngx_http_request.c | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index d759489..4435435 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t ngx_http_ssl_verify[] = {
{ ngx_string("off"), 0 },
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
+ { ngx_string("pass_only"), 3 },
{ ngx_null_string, 0 }

@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

if (conf->verify) {

- if (conf->client_certificate.len == 0) {
+ if (conf->verify != 3 && conf->client_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl_client_certificate for ssl_client_verify");
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 26420b1..11373dc 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1631,7 +1631,7 @@ ngx_http_process_request(ngx_http_request_t *r)

sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);

- if (sscf->verify) {
+ if (sscf->verify && sscf->verify != 3) {
rc = SSL_get_verify_result(c->ssl->connection);

if (rc != X509_V_OK) {
Subject Author Posted

[PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

mk.fg July 19, 2012 05:13PM

Re: [PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

Maxim Dounin July 23, 2012 02:32PM

Re: [PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

mk.fg July 24, 2012 05:23AM

Re: [PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

elf-pavlik August 10, 2012 11:17AM

Re: [PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

mk.fg August 10, 2012 07:54PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 58
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready