# HG changeset patch
# User Sampson Crowley <sampsonsprojects@gmail.com>
# Date 1579118065 25200
# Wed Jan 15 12:54:25 2020 -0700
# Node ID 4ba211814386f2e4adcd855b27d7d2534a5036a7
# Parent 8a7b59347401bba7b018c7292409ab095ce83466
Add "compliant" option to ssl_verify_client for CORS support

The CORS Spec specifically prohibits any form of credentials
during preflight checks. Because "on" fails ALL requests if
a certificate is not provided, it becomes impossible to use
"ssl_verify_client on;" with spec compliant browsers and CORS,
namely Firefox. I didnt want to break any configs that rely on
or prefer that failure to occur, so I added an additional option
to allow only OPTIONS requests to bypass the client certificate
validation.

diff -r 8a7b59347401 -r 4ba211814386 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue Jan 14 14:20:08 2020 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Jan 15 12:54:25 2020 -0700
@@ -70,6 +70,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("compliant"), 4 },
{ ngx_null_string, 0 }
};

diff -r 8a7b59347401 -r 4ba211814386 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Tue Jan 14 14:20:08 2020 +0300
+++ b/src/http/ngx_http_request.c Wed Jan 15 12:54:25 2020 -0700
@@ -2016,10 +2016,12 @@
return;
}

- if (sscf->verify == 1) {
+ if (sscf->verify == 1 || sscf->verify == 4) {
cert = SSL_get_peer_certificate(c->ssl->connection);

- if (cert == NULL) {
+ if (cert == NULL
+ && (sscf->verify != 4 || r->method != NGX_HTTP_OPTIONS))
+ {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent no required SSL certificate");

@@ -2030,7 +2032,9 @@
return;
}

- X509_free(cert);
+ if(cert != NULL) {
+ X509_free(cert);
+ }
}
}
}
diff -r 8a7b59347401 -r 4ba211814386 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Tue Jan 14 14:20:08 2020 +0300
+++ b/src/mail/ngx_mail_ssl_module.c Wed Jan 15 12:54:25 2020 -0700
@@ -52,6 +52,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("compliant"), 1 },
{ ngx_null_string, 0 }
};

diff -r 8a7b59347401 -r 4ba211814386 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Tue Jan 14 14:20:08 2020 +0300
+++ b/src/stream/ngx_stream_ssl_module.c Wed Jan 15 12:54:25 2020 -0700
@@ -64,6 +64,7 @@
{ ngx_string("on"), 1 },
{ ngx_string("optional"), 2 },
{ ngx_string("optional_no_ca"), 3 },
+ { ngx_string("compliant"), 1 },
{ ngx_null_string, 0 }
};

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel