Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value
mdounin at mdounin.ru
Thu Feb 4 02:26:30 UTC 2016
On Wed, Feb 03, 2016 at 03:38:13PM -0800, Sam McKelvie wrote:
> The ngx_ssl_get_certificate() changes “\n” to “\n\t” in the returned PEM string in an effort to make
> the string usable as an HTTP header value with $ssl_client_cert. However, bare ‘\n’ (without a preceding ‘\r’) is passed
> along as “\n\t". This causes some HTTP servers (including node/express) to hang up. This changeset
> fixes the problem by replacing occurrences of ‘\n’ that have no preceding ‘\r’ with "\r\n\t".
> Tested with node.js/express and nginx-tests.
> I should note that a similar solution was proposed at https://forum.nginx.org/read.php?29,249804,249833 <https://forum.nginx.org/read.php?29,249804,249833>, but the thread never went anywhere.
> This solution is slightly more paranoid with edge cases and does not insert extra ‘\r’ characters if they are already present.
IMHO, header line folding is wrong enough to don't bother with
trying to fix this. It doesn't work in way too many cases
including with nginx itself, and it is deprecated by RFC7230.
Much better approach would be to switch to something different -
may be just properly urlencoded $ssl_client_raw_cert, or plain
base64 without any newlines, or whatever.
More information about the nginx-devel