How to contribute fix for checking x509 extended key attrs to nginx?
mdounin at mdounin.ru
Wed Jan 11 14:02:12 UTC 2017
On Tue, Jan 10, 2017 at 03:41:14PM -0800, Ethan Rahn via nginx-devel wrote:
> I noticed that nginx does not check x509v3 certificates ( in
> event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see
> that the optional extended key usage settings are correct. I have a patch
> for this that I would like to contribute, but I'm unable to find
> contribution guidelines on the nginx web-site.
> The effect of this issue is that someone could offer a client certificate
> that has extended key usage set to say, serverAuth. This would be a
> violation of RFC 5280 - Section 220.127.116.11. I fix this by checking the
> bitfield manually to see that the settings are correct.
Note that nginx relies on OpenSSL to verify certificates, and
checking things manually might not be a good idea. If you think
that somthing is missing, a better solution might be to improve
OpenSSL checking instead.
More information about the nginx-devel