[PATCH] Add ssl_client_not_before and ssl_client_not_after request
Andrey Kulikov
amdeich at gmail.com
Mon Sep 7 18:23:08 UTC 2015
Hello Maxim,
Thanks for comments!
Please find ammended patch attached.
As to example of usage: it's a real-world use-case - one of our customers
do want to see these values on backend server for whatever purpose.
But your example also have a right to be aplicable sometime.
Best wishes,
Andrey
On 7 September 2015 at 21:04, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Mon, Sep 07, 2015 at 08:18:29PM +0300, Andrey Kulikov wrote:
>
> > Hello,
> >
> > Nginx SSL module allow to use some variables:
> > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
> > But sometimes tey are not enough.
> >
> > Please find attached patch, adding two more:
> > $ssl_client_not_before - Validity date from client certificate 'Not
> Before'
> > $ssl_client_not_after - Validity date from client certificate 'Not
> After'
> >
> > After applying changes you may use them in configuration along with other
> > variables:
> >
> > location /test_headers/ {
> > proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial;
> > proxy_set_header X-ClientCert-NotBefore
> $ssl_client_not_before;
> > proxy_set_header X-ClientCert-NotAfter
> $ssl_client_not_after;
> > proxy_pass http://192.168.88.156/;
> > }
> >
> > And it will appears in (in this case) in proxied content in the following
> > form:
> >
> > X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F
> > X-ClientCert-NotBefore: Jul 9 22:20:31 2015 GMT
> > X-ClientCert-NotAfter: Oct 9 22:30:31 2015 GMT
> >
> >
> > Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4.
> >
> > Feel free to ask any questions regarding this matter.
>
> How do you expect these variables to be used? For some form of
> warning like "your certificate will expire soon, please update
> it"? Note that validity of the certificate was already checked at
> this point, these fields in particular, and that's not something a
> backend server needs to test.
>
> See also http://nginx.org/en/docs/contributing_changes.html for
> some hints on how we would prefer submissions to be done.
>
> [...]
>
> > + return NGX_OK;
> > +}
> > +
> > +ngx_int_t
> > +ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool,
> ngx_str_t *s)
>
> Two empty lines between functions, please.
>
> [...]
>
> > + return NGX_OK;
> > +}
> > +
> > +ngx_int_t
> > ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
> ngx_str_t *s)
>
> Same here.
>
> [...]
>
> > --- a/src/http/modules/ngx_http_ssl_module.c
> > +++ b/src/http/modules/ngx_http_ssl_module.c
> > @@ -307,6 +307,12 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
> > { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
> > (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0
> },
> >
> > + { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable,
> > + (uintptr_t) ngx_ssl_get_client_not_before,
> NGX_HTTP_VAR_CHANGEABLE, 0 },
> > +
> > + { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable,
> > + (uintptr_t) ngx_ssl_get_client_not_after,
> NGX_HTTP_VAR_CHANGEABLE, 0 },
> > +
> > { ngx_null_string, NULL, NULL, 0, 0, 0 }
> > };
>
> It should be better to put these variables after $ssl_client_serial,
> much like the functions itself.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150907/fef1a387/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add_client_not_before_not_aster_var.patch
Type: text/x-patch
Size: 4066 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150907/fef1a387/attachment.bin>
More information about the nginx-devel
mailing list