Welcome! Log In Create A New Profile

Advanced

Re: proxy_ssl_certificate not exchanging client certificates

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 07, 2015 09:34AM
Hello!

On Wed, Apr 29, 2015 at 05:09:26PM -0400, lieut_data wrote:

> Thanks for getting back to me so quickly!
>
> Maxim Dounin Wrote:
> -------------------------------------------------------
> > What nginx doesn't support (or, rather, explicitly forbids) is
> > renegotiation. On the other hand, renegotiation is required if
> > one needs to ask for a client certificate only for some URIs, so
> > it's likely used in your case. You should see something like "SSL
> > renegotiation disabled" in logs at notice level.
>
> Yes, this is exactly the problem. With your hint, I commented out the
> relevant code in ngx_ssl_handshake and ngx_ssl_handle_recv -- and proxying
> worked flawlessly. (Interestingly, I never saw the log you identified
> because of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS having been set on the openssl
> connection object.)
>
> I think I understand the gist of why nginx forbids client-initiated
> renegotiation (denial of service concerns? security concerns?), but I'm not
> well-versed in openssl enough to know if the same concerns apply to
> server-initiated renegotiation with nginx as the client, especially when it
> applies to cipher renegotiation as noted above.
>
> Would nginx be open to a patch that would make this use case feasible?
> Perhaps as a modification to only disable these renegotiations when nginx is
> the server in the SSL equation?

The renegotiation is disabled for security reasons since
CVE-2009-3555. While CVE-2009-3555 is believed to be mitigated by
Secure Renegotiation extension, renegotiation itself, even secure,
still allows various bad side effects if allowed: in particular,
peer credentials and/or ciphers used may be changed unexpectedly.

I don't think we care much about the above happening on an
upstream connection though, so patches are welcome. (Actually,
original patch I submitted back in 2009 did not touch upstream
connections at all, but Igor decided to disable renegotiation
completely.)

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

proxy_ssl_certificate not exchanging client certificates

lieut_data April 28, 2015 05:17PM

Re: proxy_ssl_certificate not exchanging client certificates

Maxim Dounin April 29, 2015 08:06AM

Re: proxy_ssl_certificate not exchanging client certificates

lieut_data April 29, 2015 05:09PM

Re: proxy_ssl_certificate not exchanging client certificates

Maxim Dounin May 07, 2015 09:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 164
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready