Welcome! Log In Create A New Profile

Advanced

[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

September 15, 2012 07:52AM
Re-post of patch from http://forum.nginx.org/read.php?2,228761,229586#msg-229586
Updated version of the patch in the original thread haven't received any new attention, it seems, and I've received several inquiries now about the status of this work, so this thread is basically an attempt to draw more attention to this patch.

Use-case is the same as before - enable CA-chain validation in the application only - but with all non-CA-chain validation handled by nginx, so it won't be necessary to duplicate (and possibly mess-up) these details (handled by openssl) in application code.

For more details on reasoning behind the use-case and the previous comments on how it should be implemented, please see the original '[PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation' thread (linked for the web interface above).

Notes from original thread on the latest patch incarnation:

> Option is now called "optional_no_ca", as suggested, and allows to check all
> certificate parameters except for a trust chain. I've used
> ssl_verify_error_is_optional macro (listing trust-chain related errors) directly
> from apache 2.4.2 codebase.

> Note that since ngx_ssl_get_client_verify now has to access configuration, which
> is accessible from ngx_http_request_t, it wasn't enough to pass ngx_connection_t
> to it, plus it was only used from ngx_http_ssl_module.c, so I've moved the
> modified version of it into ngx_http_ssl_module.c, to avoid having to include
> http-only stuff into ngx_event_openssl.c. If that was a bad idea, and there's a
> need to keep that function generic (non-http-only), please suggest whether
> generic copy should just be kept in ngx_event_openssl.c, it's signature should
> be extended to have http-specific options or maybe there should be conditional
> includes for http stuff.

> URL for the patch: https://raw.github.com/gist/3319062/

(I'm not posting the patch inline here, because forum interface seem to break it anyway, but it can also be found inline in the original thread)
Subject Author Posted

[PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

mk.fg September 15, 2012 07:52AM

Re: [PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

elf-pavlik September 15, 2012 08:07AM

Re: [PATCH] (re-post) Add "optional_no_ca" option to ssl_verify_client to enable app-only CA chain validation

Maxim Dounin September 18, 2012 03:46AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 105
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready