Welcome! Log In Create A New Profile

Advanced

Re: Whitelisting Client Side Certificates

February 26, 2014 01:04PM
On Wed, Feb 26, 2014 at 9:58 AM, David Birdsong <david.birdsong@gmail.com>wrote:

> Having just gone through learning about this over the last few days,
> here's what I learned. Take it w/ a grain of salt.
>
> There are 2 ways I'm aware of.
>
> 1. turn on strict client verify and limit the ca list that the server
> knows about. this will cause the server to have a limited view of what
> certs are valid in the world and cause it to reject any client who's cert
> doesn't chain back to your ca list. I think you set that here:
>
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
>
> 2. match subject name and subjectAlternatename to a whitelist. I don't
> know if nginx can do this part natively. Haproxy can:
> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-verifyhost
>
> ...from skimming, the way you'd do #2 is to use
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificateto set a proxy header from: $ssl_client_cert and have your backend parse
> and accept/deny names found in that pem structure
>

#2 sounds like a great job for:
http://wiki.nginx.org/HttpLuaModule#access_by_lua


>
>
>
>
> On Wed, Feb 26, 2014 at 9:37 AM, paddy3883 <nginx-forum@nginx.us> wrote:
>
>> I'm currently working on POC for my company which is looking to use NGINX
>> to
>> validate API Requests using Client Side Certificates. Presently we have it
>> setup so we are self signing/generating these certificates on the local
>> machine and are able to use these successfully in our tests. We are also
>> able to use the revocation list to disable generated certificates.
>>
>> Moving forward it is possible we will be using an external CA to generate
>> these certificates and we are trying to determine if this is a way to
>> 'whitelist' certificates so only those generated ones which we have
>> visibility of will be verified, rather than a 'blacklisting' approach to
>> block those which are revoked? i.e. Given a client certificate generated
>> by
>> a external CA how can we established this in a trusted list of certs to
>> verify?
>>
>> Apologies if this question is lacking technical details/knowledge, this is
>> my first hands on experience with SSL.
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,247969,247969#msg-247969
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Whitelisting Client Side Certificates

paddy3883 February 26, 2014 12:37PM

Re: Whitelisting Client Side Certificates

dannynoonan February 26, 2014 01:00PM

Re: Whitelisting Client Side Certificates

dannynoonan February 26, 2014 01:04PM

Re: Whitelisting Client Side Certificates

dannynoonan February 26, 2014 03:32PM

Re: Whitelisting Client Side Certificates

paddy3883 February 27, 2014 06:16AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 100
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready