Welcome! Log In Create A New Profile

Advanced

[PATCH] Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

Previous Message Next Message
Forum List Message List New Topic Print View
Robert Mueller
August 13, 2021 04:28AM
# HG changeset patch
# User Rob Mueller <robm@fastmail.fm>
# Date 1628841467 14400
# Fri Aug 13 03:57:47 2021 -0400
# Node ID 6ea8e179293dbd5d09218658220a64a9ce20cb8a
# Parent dda421871bc213dd2eb3da0015d6228839323583
Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

This adds a new Auth-SSL-Cipher header to the mail proxy auth
protocol when SSL is enabled the reports the SSL cipher that
was negotiated.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.

diff -r dda421871bc2 -r 6ea8e179293d src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Tue Aug 10 23:43:17 2021 +0300
+++ b/src/mail/ngx_mail_auth_http_module.c Fri Aug 13 03:57:47 2021 -0400
@@ -1138,7 +1138,7 @@
ngx_connection_t *c;
#if (NGX_MAIL_SSL)
ngx_str_t verify, subject, issuer, serial, fingerprint,
- raw_cert, cert;
+ raw_cert, cert, cipher;
ngx_mail_ssl_conf_t *sslcf;
#endif
ngx_mail_core_srv_conf_t *cscf;
@@ -1157,6 +1157,15 @@

sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);

+ if (c->ssl) {
+ if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) {
+ return NULL;
+ }
+ cipher.len = ngx_strlen(cipher.data);
+ } else {
+ ngx_str_null(&cipher);
+ }
+
if (c->ssl && sslcf->verify) {

/* certificate details */
@@ -1252,6 +1261,8 @@

if (c->ssl) {
len += sizeof("Auth-SSL: on" CRLF) - 1
+ + sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len
+ + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Verify: ") - 1 + verify.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Subject: ") - 1 + subject.len
@@ -1373,6 +1384,13 @@
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
sizeof("Auth-SSL: on" CRLF) - 1);

+ if (cipher.len) {
+ b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ",
+ sizeof("Auth-SSL-Cipher: ") - 1);
+ b->last = ngx_copy(b->last, cipher.data, cipher.len);
+ *b->last++ = CR; *b->last++ = LF;
+ }
+
if (verify.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
sizeof("Auth-SSL-Verify: ") - 1);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

Robert Mueller 399 August 13, 2021 04:28AM

Re: [PATCH] Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

Maxim Dounin 101 August 14, 2021 10:54PM

Re: [PATCH] Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

Robert Mueller 152 August 16, 2021 11:10PM

Re: [PATCH] Mail: Add Auth-SSL-Cipher header to each imap/pop/smtp auth request

Maxim Dounin 135 August 17, 2021 06:30PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 276
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready