[PATCH] Add a no_verify option for SSL client authentication

Maxim Dounin mdounin at mdounin.ru
Tue Aug 21 11:03:48 UTC 2012


On Mon, Aug 20, 2012 at 02:37:44PM +0200, Tom van der Woerdt wrote:

> Hi Eric,
> For the record, I'm not affiliated with nginx.
> If I understand your message correctly, you've got a load balancer
> (or something similar) in front of nginx that already verifies the
> certificates. You simply don't want nginx to do all the double
> checking, or maybe you just don't want to store the keys on an
> application server.
> A patch such as the one you supplied would be a major security hole
> (for those who don't know what they're doing, which nowadays is most
> people) while not offering much in return. What you describe can
> already be achieved by (for example) passing the cert's DN to the
> application server (and making sure the application server only
> accepts requests from your load balancer):

The problem with the discussed use case is that issuer certificate 
isn't known in advance.  Hence nginx won't be able to verify the  
supplied cert (unless we are willing to bring all the logic to 
fetch issuer cert into nginx, which doesn't looks like a good 
option) and will return error.

I believe the use case may be handled with error_page 495, but 
it's not yet clear

- if it's actually true;

- whether it introduce unwanted side effects;

- how the case is common (i.e. wether it deserves special option 
  even if the above allows to handle it).

Maxim Dounin

More information about the nginx-devel mailing list