Welcome! Log In Create A New Profile

Advanced

[nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Praveen Chaudhary
August 16, 2024 11:04AM
Hi Nginx Devs

Bumping patch to the top for review.

CC: @Sergey Kandaurov
Thanks for contributing client certificate validation with OSCP. It is a
long awaited feature.
In this patch, I am trying to fix another lingering concern. It will be
great, if you can have a look.

# HG changeset patch
# User Praveen Chaudhary <praveen5582@gmail.com>
# Date 1723406727 25200
# Sun Aug 11 13:05:27 2024 -0700
# Node ID 199a35c74b60437da9d22a70d257507b4afb1878
# Parent b5550a7f16c795f394f9d1ac87132dd2b7ef0e41
Make ssl_client_certificate directive optional with TLSv1.3.

- As per RFC 8446 Section 4.2.4, server MAY (not SHOULD or MUST)
send Certificate Authorities (CAs) in the Certificate Request
packet. This makes ssl_client_certificate directive optional
when only TLS 1.3 is used for mutual TLS configurations.

- Today, Nginx requires ssl_client_certificate directive to
be set to CA Certificates file, if ssl_verify_client is
enabled, even when using only TLS 1.3. Else Nginx does not
reload or restart.

diff -r b5550a7f16c7 -r 199a35c74b60 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -787,10 +787,16 @@

if (conf->verify) {

- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}

if (ngx_ssl_client_certificate(cf, &conf->ssl,
diff -r b5550a7f16c7 -r 199a35c74b60 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -450,12 +450,19 @@

if (conf->verify) {

- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}

+
if (ngx_ssl_client_certificate(cf, &conf->ssl,
&conf->client_certificate,
conf->verify_depth)
diff -r b5550a7f16c7 -r 199a35c74b60 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/stream/ngx_stream_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -932,10 +932,16 @@

if (conf->verify) {

- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}

if (ngx_ssl_client_certificate(cf, &conf->ssl,
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Praveen Chaudhary 223 August 16, 2024 11:04AM

Re: [nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Aleksei Bavshin 39 August 19, 2024 02:42PM

Re: [nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Praveen Chaudhary 44 August 19, 2024 07:24PM

Re: [nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Praveen Chaudhary 46 August 21, 2024 12:38PM

Re: [nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3

Praveen Chaudhary 101 August 27, 2024 03:08PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 160
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready