Verify Upstream SSL Certs

Wed Aug 28 15:45:38 UTC 2013

On Wed, Aug 28, 2013 at 9:54 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!

Hi!

>
> On Wed, Aug 28, 2013 at 09:20:46AM +0100, Phil Parker wrote:
>
> > This has been discussed in detail previously:
> >
> > http://trac.nginx.org/nginx/ticket/13
> >
http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
> >
> > I have created a patch that I'm using locally and would like to
contribute
> > but am a first-time contributor so looking for advice.
>
> Given the fact that Aviram Cohen's patch for the same ticket is
> already in the review process, I would suggest you to join
> review/testing instead.

Thanks, I missed that in all my searches.

It might be worth adding a comment to the trac ticket and the previous
(dead, I think) patch thread I found above so people can "follow the
breadcrumbs"?

> See this thread for details:
> http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004085.html
>

I've downloaded this and managed to patch/compile on:

nginx version: nginx/1.4.2
Linux 3.8.0-25-generic #37-Ubuntu SMP Thu Jun 6 20:47:07 UTC 2013 x86_64
GNU/Linux

I specified proxy_ssl_verify and proxy_ssl_trusted_certificate (I tried
this with both specifying a single cert, which worked with my previous
patch, and a combined cert via 'openssl x509 -in cert1.pem -text >>
CAfile.pem') but got the following error when trying to proxy:

[error] 14716#0: *1 upstream sslcertificate validation failed while SSL
handshaking to upstream

This message doesn't match the one in the patch (which is just "upstream
sslcertificate validation failed" but a search led me to
http://serverfault.com/questions/436737/forcing-a-particular-ssl-protocol-for-an-nginx-proxying-server
.
In my case downgrading openssl to 1.0.0 didn't seem to change anything.
I'll keep investigating but would be useful to see if anyone has seen this
before or knows what the cause might be.

One additional point is it looks from the patch like if you don't specify
'proxy_ssl_verify_depth' it defaults to 1 but the Open SSL documentation
states it defaults to 9
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES.

I'd suggest if it's not specified in an nginx directive then the default
should be that of open ssl (the Principle of Least Astonishment
applies....).

> > The way I've implemented it supports two (mutually exclusive) new
> > directives on a location. e.g.
> >
> > location / {
> >     proxy_ssl_peer_certificate_path "/tmp/sslcerts";
> >     #proxy_ssl_peer_certificate_file "/tmp/sslcerts/cert.pem";
> >     proxy_pass ....
> > }
> >
> > These are passed through to SSL_CTX_load_verify_locations (
> > http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html)
>
> Just a side note: we don't provide "_path" variants for other
> certificate verification directives, so it's unlikely it will be
> accepted for a proxy peer verification.
>
> > The main advice I'm looking for:
> >
> > 1) Is this implemented in a way that is useful for others?
> > 2) Should I be writing tests/test driving? If so, how?
>
> Writing tests may make sense (though not required), test suite is
> available at http://hg.nginx.org/nginx-tests.
>
> > 3) Anything in the patch (below) that needs to be changed
(implementation
> > or style)?
> > 4) How best to submit the patch (I've currently made it against 1.4.2
and
> > just created a patch file, not currently a Mercurial user but can
check-out
> > if necessary)?
>
> Basic recommendations can be found here:
>
> http://nginx.org/en/docs/contributing_changes.html
>
> [...]
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

P.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130828/9b3d7a33/attachment.html>