Welcome! Log In Create A New Profile

Advanced

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin
February 03, 2016 09:28PM
Hello!

On Wed, Feb 03, 2016 at 03:38:13PM -0800, Sam McKelvie wrote:

> The ngx_ssl_get_certificate() changes “\n” to “\n\t” in the returned PEM string in an effort to make
> the string usable as an HTTP header value with $ssl_client_cert. However, bare ‘\n’ (without a preceding ‘\r’) is passed
> along as “\n\t". This causes some HTTP servers (including node/express) to hang up. This changeset
> fixes the problem by replacing occurrences of ‘\n’ that have no preceding ‘\r’ with "\r\n\t".
>
> Tested with node.js/express and nginx-tests.
>
> I should note that a similar solution was proposed at https://forum.nginx.org/read.php?29,249804,249833 https://forum.nginx.org/read.php?29,249804,249833, but the thread never went anywhere.
> This solution is slightly more paranoid with edge cases and does not insert extra ‘\r’ characters if they are already present.

IMHO, header line folding is wrong enough to don't bother with
trying to fix this. It doesn't work in way too many cases
including with nginx itself, and it is deprecated by RFC7230.

Much better approach would be to switch to something different -
may be just properly urlencoded $ssl_client_raw_cert, or plain
base64 without any newlines, or whatever.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 599 February 03, 2016 06:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 319 February 03, 2016 09:28PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 364 February 04, 2016 12:26PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 340 February 04, 2016 01:30PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 397 February 04, 2016 04:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 853 February 05, 2016 11:00AM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 433 February 10, 2016 05:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 567 February 13, 2016 12:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 140
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready