Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value

Maxim Dounin mdounin at
Fri Feb 5 15:58:12 UTC 2016


On Thu, Feb 04, 2016 at 01:38:48PM -0800, Sam McKelvie wrote:

> I think it is your call if you want to make a breaking change to
> $ssl_client_cert to URL encode it; I'd be happy to submit the
> changeset if you would approve that, but I personally don't feel
> comfortable breaking any existing applications that parse/decode the
> certificate.

No, certainly not something I want to be done.

> So my suggestion now is to define a new $ssl_client_cert_url_encoded
> variable that is the URL-encoded form of the raw PEM certificate. With
> your approval I will submit a changeset for that...

Yes, adding a variable with an URL-escaped versions looks like a 
way to go.  I disagree with the name you suggest though, I think 
that something like $ssl_client_escaped_cert would be more in line 
with $ssl_client_cert and $ssl_client_raw_cert variables we 
currently have and the ngx_escape_uri() function nginx uses 

Some more background.  As of now we have:

- $ssl_client_raw_cert - client cert in PEM format
- $ssl_client_cert - client cert in PEM format with \t added

At some distant point in the future we probably want to have:

- $ssl_client_cert - client cert in PEM format
- a way to urlescape() things, see

At this point, an escaped version of the client cert will be 
available as something like ${urlescape($ssl_client_cert)}.  All 
uses of client cert with tabs are expected to disappear.  There 
are a couple of problems though:

- there are existing uses of $ssl_client_cert and 
  $ssl_client_raw_cert, breaking them would be bad;

- we don't have urlescape() function in configs, and probably 
  won't have it in a near future.

So we have to figure out some migration plan, e.g.:

- introduce $ssl_client_escaped_cert, with urlescaped PEM cert;

- introduce $ssl_client_tabbed_cert as an alias to 
  $ssl_client_cert (with PEM cert with tabs);

- change $ssl_client_cert back to be raw cert (preserving 
  $ssl_client_raw_cert as a deprecated alias for some time);

- do something with $ssl_client_tabbed_cert at some point, not 

- once urlescape() functionality is added, deprecate 
  $ssl_client_escaped_cert, suggesting to use 
  urlescape($ssl_client_cert) instead.

Not sure if it's an optimal plan and if we are actually going to 
follow it, but introducing $ssl_client_escaped_cert looks like a 
more or less obvious 1st step, at least if we don't expect 
urlescape() to appear in the near future.

Maxim Dounin

More information about the nginx-devel mailing list