Welcome! Log In Create A New Profile

Advanced

Re: proxy_ssl_certificate not exchanging client certificates

April 29, 2015 05:09PM
Thanks for getting back to me so quickly!

Maxim Dounin Wrote:
-------------------------------------------------------
> What nginx doesn't support (or, rather, explicitly forbids) is
> renegotiation. On the other hand, renegotiation is required if
> one needs to ask for a client certificate only for some URIs, so
> it's likely used in your case. You should see something like "SSL
> renegotiation disabled" in logs at notice level.

Yes, this is exactly the problem. With your hint, I commented out the relevant code in ngx_ssl_handshake and ngx_ssl_handle_recv -- and proxying worked flawlessly. (Interestingly, I never saw the log you identified because of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS having been set on the openssl connection object.)

I think I understand the gist of why nginx forbids client-initiated renegotiation (denial of service concerns? security concerns?), but I'm not well-versed in openssl enough to know if the same concerns apply to server-initiated renegotiation with nginx as the client, especially when it applies to cipher renegotiation as noted above.

Would nginx be open to a patch that would make this use case feasible? Perhaps as a modification to only disable these renegotiations when nginx is the server in the SSL equation?
Subject Author Posted

proxy_ssl_certificate not exchanging client certificates

lieut_data April 28, 2015 05:17PM

Re: proxy_ssl_certificate not exchanging client certificates

Maxim Dounin April 29, 2015 08:06AM

Re: proxy_ssl_certificate not exchanging client certificates

lieut_data April 29, 2015 05:09PM

Re: proxy_ssl_certificate not exchanging client certificates

Maxim Dounin May 07, 2015 09:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 64
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready