Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: add new variable $ssl_client_fingerprint_sha256

Previous Message Next Message
Forum List Message List New Topic Print View
Andy Brody
November 19, 2019 12:36PM
The existing $ssl_client_fingerprint uses SHA-1 to compute the certificate
digest. This is no longer considered secure. The CA/Browser forum voted to
sunset use of SHA1 in 2014, and all major CAs ceased issuing SHA1 certificates
at the end of 2015.

The first publicly known collision in the full SHA-1 was discovered in 2017.

NGINX users should be able to switch to SHA-256 for TLS client certificate
fingerprints. Ideally $ssl_client_fingerprint should be deprecated.

Add a new variable, $ssl_client_fingerprint_sha256, which uses SHA-256 instead.

Refactor ngx_ssl_get_fingerprint() into a new function
ngx_ssl_get_fingerprint_generic(), which accepts any OpenSSL digest function,
and add ngx_ssl_get_fingerprint_sha256().


src/event/ngx_event_openssl.c | 17 ++++++++++++++++-
src/event/ngx_event_openssl.h | 4 ++++
src/http/modules/ngx_http_ssl_module.c | 3 +++
src/stream/ngx_stream_ssl_module.c | 3 +++
4 files changed, 26 insertions(+), 1 deletions(-)


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] SSL: add new variable $ssl_client_fingerprint_sha256

Andy Brody 270 November 19, 2019 12:36PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 277
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready