Welcome! Log In Create A New Profile

Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates

Forum List Message List New Topic Print View

Filipe Da Silva

January 13, 2014 07:10AM

Hi.

Some remarks about your patch .

2014/1/13 <nginx-devel-request@nginx.org>:
> From: Sven Peter <sven@ha.cki.ng>
> To: nginx-devel@nginx.org
> Subject: [PATCH] mail_{ssl, auth_http}_module: add support for SSL
> client certificates
> Message-ID: <8744640301ae0f7d4c16.1389608966@123.fritz.box>
> Content-Type: text/plain; charset="us-ascii"
>
> # HG changeset patch
> # User Sven Peter <sven@ha.cki.ng>
> # Date 1389607375 -3600
> # Mon Jan 13 11:02:55 2014 +0100
> # Node ID 8744640301ae0f7d4c16108e68c9ae6eb60f2213
> # Parent 4aa64f6950313311e0d322a2af1788edeb7f036c
> mail_{ssl,auth_http}_module: add support for SSL client certificates
>
> This patch adds support for SSL client certificates to the mail proxy
> capabilities of nginx both for STARTTLS and SSL mode.
> Just like the HTTP SSL module a root CA is defined in the mail section
> of the configuration file. Verification can be optional or mandatory.
> Additionally, the result of the verification is exposed to the
> auth http backend via the SSL-Verify, SSL-Subject-DN and SSL-Issuer-DN
> HTTP headers.
>
> diff -r 4aa64f695031 -r 8744640301ae src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c Sat Jan 04 03:32:22 2014 +0400
> +++ b/src/mail/ngx_mail_auth_http_module.c Mon Jan 13 11:02:55 2014 +0100
> @@ -1144,6 +1144,11 @@
> ngx_buf_t *b;
> ngx_str_t login, passwd;
> ngx_mail_core_srv_conf_t *cscf;
> + ngx_str_t ssl_client_verify = {0, NULL};
> + ngx_str_t ssl_client_raw_s_dn = {0, NULL};
> + ngx_str_t ssl_client_raw_i_dn = {0, NULL};
> + ngx_str_t ssl_client_s_dn = {0, NULL};
> + ngx_str_t ssl_client_i_dn = {0, NULL};

This kind of initialization is not part in the nginx coding style.

>
> if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) {
> return NULL;
> @@ -1153,6 +1158,29 @@
> return NULL;
> }
>
> + // ssl_client_verify doesn't need to be escaped since it comes from nginx itself
> +#if (NGX_MAIL_SSL)
> + ngx_ssl_get_client_verify(s->connection, pool, &ssl_client_verify);
> + ngx_ssl_get_subject_dn(s->connection, pool, &ssl_client_s_dn);
> + ngx_ssl_get_subject_dn(s->connection, pool, &ssl_client_i_dn);

Twice call to ngx_ssl_get_subject_dn : Copy-paste issue ?

....

Regards,
FDS

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Sven Peter	1426	January 13, 2014 05:30AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Filipe Da Silva	441	January 13, 2014 07:10AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Sven Peter	408	January 13, 2014 08:12AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Sven Peter	566	January 13, 2014 10:30AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Maxim Dounin	440	January 14, 2014 07:10AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Sven Peter	487	January 14, 2014 08:42AM
Re: [PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates	Maxim Dounin	481	January 14, 2014 10:32AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 312

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018