[PATCH] Add a no_verify option for SSL client authentication
mdounin at mdounin.ru
Tue Aug 21 11:03:48 UTC 2012
On Mon, Aug 20, 2012 at 02:37:44PM +0200, Tom van der Woerdt wrote:
> Hi Eric,
> For the record, I'm not affiliated with nginx.
> If I understand your message correctly, you've got a load balancer
> (or something similar) in front of nginx that already verifies the
> certificates. You simply don't want nginx to do all the double
> checking, or maybe you just don't want to store the keys on an
> application server.
> A patch such as the one you supplied would be a major security hole
> (for those who don't know what they're doing, which nowadays is most
> people) while not offering much in return. What you describe can
> already be achieved by (for example) passing the cert's DN to the
> application server (and making sure the application server only
> accepts requests from your load balancer):
The problem with the discussed use case is that issuer certificate
isn't known in advance. Hence nginx won't be able to verify the
supplied cert (unless we are willing to bring all the logic to
fetch issuer cert into nginx, which doesn't looks like a good
option) and will return error.
I believe the use case may be handled with error_page 495, but
it's not yet clear
- if it's actually true;
- whether it introduce unwanted side effects;
- how the case is common (i.e. wether it deserves special option
even if the above allows to handle it).
More information about the nginx-devel