Welcome! Log In Create A New Profile

Advanced

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin
February 05, 2016 11:00AM
Hello!

On Thu, Feb 04, 2016 at 01:38:48PM -0800, Sam McKelvie wrote:

> I think it is your call if you want to make a breaking change to
> $ssl_client_cert to URL encode it; I'd be happy to submit the
> changeset if you would approve that, but I personally don't feel
> comfortable breaking any existing applications that parse/decode the
> certificate.

No, certainly not something I want to be done.

> So my suggestion now is to define a new $ssl_client_cert_url_encoded
> variable that is the URL-encoded form of the raw PEM certificate. With
> your approval I will submit a changeset for that...

Yes, adding a variable with an URL-escaped versions looks like a
way to go. I disagree with the name you suggest though, I think
that something like $ssl_client_escaped_cert would be more in line
with $ssl_client_cert and $ssl_client_raw_cert variables we
currently have and the ngx_escape_uri() function nginx uses
internally.

Some more background. As of now we have:

- $ssl_client_raw_cert - client cert in PEM format
- $ssl_client_cert - client cert in PEM format with \t added

At some distant point in the future we probably want to have:

- $ssl_client_cert - client cert in PEM format
- a way to urlescape() things, see
https://trac.nginx.org/nginx/ticket/52

At this point, an escaped version of the client cert will be
available as something like ${urlescape($ssl_client_cert)}. All
uses of client cert with tabs are expected to disappear. There
are a couple of problems though:

- there are existing uses of $ssl_client_cert and
$ssl_client_raw_cert, breaking them would be bad;

- we don't have urlescape() function in configs, and probably
won't have it in a near future.

So we have to figure out some migration plan, e.g.:

- introduce $ssl_client_escaped_cert, with urlescaped PEM cert;

- introduce $ssl_client_tabbed_cert as an alias to
$ssl_client_cert (with PEM cert with tabs);

- change $ssl_client_cert back to be raw cert (preserving
$ssl_client_raw_cert as a deprecated alias for some time);

- do something with $ssl_client_tabbed_cert at some point, not
sure;

- once urlescape() functionality is added, deprecate
$ssl_client_escaped_cert, suggesting to use
urlescape($ssl_client_cert) instead.

Not sure if it's an optimal plan and if we are actually going to
follow it, but introducing $ssl_client_escaped_cert looks like a
more or less obvious 1st step, at least if we don't expect
urlescape() to appear in the near future.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 599 February 03, 2016 06:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 321 February 03, 2016 09:28PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 364 February 04, 2016 12:26PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 340 February 04, 2016 01:30PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 399 February 04, 2016 04:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 854 February 05, 2016 11:00AM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Sam McKelvie 433 February 10, 2016 05:40PM

Re: Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin 567 February 13, 2016 12:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 140
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready