[PATCH] Add ssl_client_not_before and ssl_client_not_after request

Mon Sep 7 18:04:32 UTC 2015

Hello!

On Mon, Sep 07, 2015 at 08:18:29PM +0300, Andrey Kulikov wrote:

> Hello,
> 
> Nginx SSL module allow to use some variables:
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
> But sometimes tey are not enough.
> 
> Please find attached patch, adding two more:
> $ssl_client_not_before - Validity date from client certificate 'Not Before'
> $ssl_client_not_after   -  Validity date from client certificate 'Not After'
> 
> After applying changes you may use them in configuration along with other
> variables:
> 
>     location /test_headers/ {
>         proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial;
>         proxy_set_header X-ClientCert-NotBefore     $ssl_client_not_before;
>         proxy_set_header X-ClientCert-NotAfter      $ssl_client_not_after;
>         proxy_pass http://192.168.88.156/;
>     }
> 
> And it will appears in (in this case) in proxied content in the following
> form:
> 
> X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F
> X-ClientCert-NotBefore: Jul  9 22:20:31 2015 GMT
> X-ClientCert-NotAfter: Oct  9 22:30:31 2015 GMT
> 
> 
> Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4.
> 
> Feel free to ask any questions regarding this matter.

How do you expect these variables to be used?  For some form of 
warning like "your certificate will expire soon, please update 
it"?  Note that validity of the certificate was already checked at 
this point, these fields in particular, and that's not something a 
backend server needs to test.

See also http://nginx.org/en/docs/contributing_changes.html for 
some hints on how we would prefer submissions to be done.

[...]

> +    return NGX_OK;
> +}
> +
> +ngx_int_t
> +ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)

Two empty lines between functions, please.

[...]

> +    return NGX_OK;
> +}
> +
> +ngx_int_t
>  ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)

Same here.

[...]

> --- a/src/http/modules/ngx_http_ssl_module.c
> +++ b/src/http/modules/ngx_http_ssl_module.c
> @@ -307,6 +307,12 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
>      { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
>        (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
>  
> +    { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable,
> +      (uintptr_t) ngx_ssl_get_client_not_before, NGX_HTTP_VAR_CHANGEABLE, 0 },
> +
> +    { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable,
> +      (uintptr_t) ngx_ssl_get_client_not_after, NGX_HTTP_VAR_CHANGEABLE, 0 },
> +
>      { ngx_null_string, NULL, NULL, 0, 0, 0 }
>  };

It should be better to put these variables after $ssl_client_serial, 
much like the functions itself.

-- 
Maxim Dounin
http://nginx.org/