How to contribute fix for checking x509 extended key attrs to nginx?
Alexey Ivanov
savetherbtz at gmail.com
Wed Jan 11 02:58:21 UTC 2017
On Jan 10, 2017, at 3:41 PM, Ethan Rahn via nginx-devel <nginx-devel at nginx.org> wrote:
>
> Hello,
>
> I noticed that nginx does not check x509v3 certificates ( in event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see that the optional extended key usage settings are correct. I have a patch for this that I would like to contribute, but I'm unable to find contribution guidelines on the nginx web-site.
http://nginx.org/en/docs/contributing_changes.html
> The effect of this issue is that someone could offer a client certificate that has extended key usage set to say, serverAuth. This would be a violation of RFC 5280 - Section 4.2.1.12. I fix this by checking the bitfield manually to see that the settings are correct.
>
> Cheers,
>
> Ethan
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170110/63d4bde8/attachment.bin>
More information about the nginx-devel
mailing list