Welcome! Log In Create A New Profile


[PATCH] SSL: add new variable $ssl_client_fingerprint_sha256

Andy Brody
November 19, 2019 12:36PM
The existing $ssl_client_fingerprint uses SHA-1 to compute the certificate
digest. This is no longer considered secure. The CA/Browser forum voted to
sunset use of SHA1 in 2014, and all major CAs ceased issuing SHA1 certificates
at the end of 2015.

The first publicly known collision in the full SHA-1 was discovered in 2017.

NGINX users should be able to switch to SHA-256 for TLS client certificate
fingerprints. Ideally $ssl_client_fingerprint should be deprecated.

Add a new variable, $ssl_client_fingerprint_sha256, which uses SHA-256 instead.

Refactor ngx_ssl_get_fingerprint() into a new function
ngx_ssl_get_fingerprint_generic(), which accepts any OpenSSL digest function,
and add ngx_ssl_get_fingerprint_sha256().

src/event/ngx_event_openssl.c | 17 ++++++++++++++++-
src/event/ngx_event_openssl.h | 4 ++++
src/http/modules/ngx_http_ssl_module.c | 3 +++
src/stream/ngx_stream_ssl_module.c | 3 +++
4 files changed, 26 insertions(+), 1 deletions(-)

nginx-devel mailing list
Subject Author Views Posted

[PATCH] SSL: add new variable $ssl_client_fingerprint_sha256

Andy Brody 126 November 19, 2019 12:36PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 62
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready