Welcome! Log In Create A New Profile

Re: [PATCH] SSL: support for client proxy certificates

Forum List Message List New Topic Print View

Maxim Dounin

March 18, 2019 11:10AM

Hello!

On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:

> # HG changeset patch
> # User Francesco Giacomini <francesco.giacomini@cnaf.infn.it>
> # Date 1552665342 -3600
> # Fri Mar 15 16:55:42 2019 +0100
> # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> # Parent c74904a1702135f673a275bd0d36f010a3bfb89a
> SSL: support for client proxy certificates
>
> Add the option ssl_allow_proxy_certs to allow client authentication
> through X.509 proxy certificates (RFC 3820).
>
> It used to be possible by setting the environment variable
> OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> done programmatically.

Thanks for the patch.

Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:

: For these reasons, OpenSSL requires that the use of proxy certificates be
: explicitly allowed. Currently, this can be done using the following methods:
:
: - if the application directly calls X509_verify_cert(), it can first call:
:
: X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
:
: Where ctx is the pointer which then gets passed to X509_verify_cert().
:
: - proxy certificate validation can be enabled before starting the application
: by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
:
: In the future, it might be possible to enable proxy certificates by editing
: openssl.cnf.

Since nginx does not call X509_verify_cert() directly, the only
documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS
environment variable.

If this functionality is important for you, and given that the
documented approach no longer works, have you considered filing a
bug to the OpenSSL team? It looks like at least one already
exists, though lacks proper description of the problem:

https://github.com/openssl/openssl/issues/8177

I'm also a bit sceptical about the how proxy certificates are
common and if these needs to be supported by nginx, given that
there is still no support even in openssl.cnf.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: support for client proxy certificates	Francesco Giacomini	318	March 18, 2019 06:56AM
Re: [PATCH] SSL: support for client proxy certificates	Maxim Dounin	102	March 18, 2019 11:10AM
Re: [PATCH] SSL: support for client proxy certificates	Francesco Giacomini	120	March 18, 2019 11:40AM
Re: [PATCH] SSL: support for client proxy certificates	Maxim Dounin	254	March 18, 2019 12:30PM
Re: [PATCH] SSL: support for client proxy certificates	Francesco Giacomini	136	March 18, 2019 01:36PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 285

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018