[PATCH] SSL: support for client proxy certificates
mdounin at mdounin.ru
Mon Mar 18 15:08:28 UTC 2019
On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:
> # HG changeset patch
> # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> # Date 1552665342 -3600
> # Fri Mar 15 16:55:42 2019 +0100
> # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> # Parent c74904a1702135f673a275bd0d36f010a3bfb89a
> SSL: support for client proxy certificates
> Add the option ssl_allow_proxy_certs to allow client authentication
> through X.509 proxy certificates (RFC 3820).
> It used to be possible by setting the environment variable
> OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> done programmatically.
Thanks for the patch.
Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:
: For these reasons, OpenSSL requires that the use of proxy certificates be
: explicitly allowed. Currently, this can be done using the following methods:
: - if the application directly calls X509_verify_cert(), it can first call:
: X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
: Where ctx is the pointer which then gets passed to X509_verify_cert().
: - proxy certificate validation can be enabled before starting the application
: by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
: In the future, it might be possible to enable proxy certificates by editing
Since nginx does not call X509_verify_cert() directly, the only
documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS
If this functionality is important for you, and given that the
documented approach no longer works, have you considered filing a
bug to the OpenSSL team? It looks like at least one already
exists, though lacks proper description of the problem:
I'm also a bit sceptical about the how proxy certificates are
common and if these needs to be supported by nginx, given that
there is still no support even in openssl.cnf.
More information about the nginx-devel