[PATCH] SSL: support for client proxy certificates

Francesco Giacomini francesco.giacomini at cnaf.infn.it
Mon Mar 18 10:53:52 UTC 2019 

# HG changeset patch
# User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
# Date 1552665342 -3600
#      Fri Mar 15 16:55:42 2019 +0100
# Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
# Parent  c74904a1702135f673a275bd0d36f010a3bfb89a
SSL: support for client proxy certificates

Add the option ssl_allow_proxy_certs to allow client authentication
through X.509 proxy certificates (RFC 3820).

It used to be possible by setting the environment variable
OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
done programmatically.

diff -r c74904a17021 -r 0b5d82532ea5 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim	Sat Mar 09 03:03:56 2019 +0300
+++ b/contrib/vim/syntax/nginx.vim	Fri Mar 15 16:55:42 2019 +0100
@@ -581,6 +581,7 @@
 syn keyword ngxDirective contained ssi_silent_errors
 syn keyword ngxDirective contained ssi_types
 syn keyword ngxDirective contained ssi_value_length
+syn keyword ngxDirective contained ssl_allow_proxy_certs
 syn keyword ngxDirective contained ssl_buffer_size
 syn keyword ngxDirective contained ssl_certificate
 syn keyword ngxDirective contained ssl_certificate_key
diff -r c74904a17021 -r 0b5d82532ea5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Sat Mar 09 03:03:56 2019 +0300
+++ b/src/event/ngx_event_openssl.c	Fri Mar 15 16:55:42 2019 +0100
@@ -1471,6 +1471,29 @@
 
 
 ngx_int_t
+ngx_ssl_allow_proxy_certs(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
+{
+    X509_STORE   *store;
+
+    if (!enable) {
+        return NGX_OK;
+    }
+
+    store = SSL_CTX_get_cert_store(ssl->ctx);
+
+    if (store == NULL) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_get_cert_store() failed");
+        return NGX_ERROR;
+    }
+
+    X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
 {
     if (!enable) {
diff -r c74904a17021 -r 0b5d82532ea5 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Sat Mar 09 03:03:56 2019 +0300
+++ b/src/event/ngx_event_openssl.h	Fri Mar 15 16:55:42 2019 +0100
@@ -180,6 +180,8 @@
     ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
+ngx_int_t ngx_ssl_allow_proxy_certs(ngx_conf_t *cf, ngx_ssl_t *ssl,
+    ngx_uint_t enable);
 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
     int key_length);
 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
diff -r c74904a17021 -r 0b5d82532ea5 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Sat Mar 09 03:03:56 2019 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c	Fri Mar 15 16:55:42 2019 +0100
@@ -249,6 +249,13 @@
       offsetof(ngx_http_ssl_srv_conf_t, early_data),
       NULL },
 
+    { ngx_string("ssl_allow_proxy_certs"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, allow_proxy_certs),
+      NULL },
+
       ngx_null_command
 };
 
@@ -580,6 +587,7 @@
     sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
     sscf->stapling = NGX_CONF_UNSET;
     sscf->stapling_verify = NGX_CONF_UNSET;
+    sscf->allow_proxy_certs = NGX_CONF_UNSET;
 
     return sscf;
 }
@@ -647,6 +655,8 @@
     ngx_conf_merge_str_value(conf->stapling_responder,
                          prev->stapling_responder, "");
 
+    ngx_conf_merge_value(conf->allow_proxy_certs, prev->allow_proxy_certs, 0);
+
     conf->ssl.log = cf->log;
 
     if (conf->enable) {
@@ -857,6 +867,10 @@
         return NGX_CONF_ERROR;
     }
 
+    if (ngx_ssl_allow_proxy_certs(cf, &conf->ssl, conf->allow_proxy_certs) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     return NGX_CONF_OK;
 }
 
diff -r c74904a17021 -r 0b5d82532ea5 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h	Sat Mar 09 03:03:56 2019 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h	Fri Mar 15 16:55:42 2019 +0100
@@ -59,6 +59,8 @@
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
 
+    ngx_flag_t                      allow_proxy_certs;
+
     u_char                         *file;
     ngx_uint_t                      line;
 } ngx_http_ssl_srv_conf_t;

More information about the nginx-devel mailing list