[PATCH] Add provision to fetch certificate chain from Nginx

Maxim Dounin mdounin at mdounin.ru
Tue Dec 28 15:58:27 UTC 2021


Hello!

On Tue, Dec 28, 2021 at 11:56:50AM +0000, CHHABRA Mandeep Singh wrote:

> # HG changeset patch
> # User Mandeep Singh Chhabra <mandeep-singh.chhabra at thalesgroup.com>
> # Date 1640691269 -19800
> #      Tue Dec 28 17:04:29 2021 +0530
> # Node ID 9baaef976ac80f05107b60801ebe6559cdb2cbc6
> # Parent  b002ad258f1d70924dc13d8f4bc0cc44362f0d0a
> Add provision to fetch certificate chain from Nginx
> 
> The change adds a new variable ('ssl_client_cert_chain') to the
> existing set of variables. It is being part of the http's SSL
> module. With this, the middleware can fetch the certificate chain
> from Nginx using the variable mentioned. The variable returns
> a verified chain of certificates.
> If the trust anchor is a root certificate (self signed) which has
> issued an intermediate certificate and the client certificate is
> issued by the intermediate certificate. The variable ('ssl_client_cert_chain')
> will return three certificates (rootCert -> intermediateCert -> clientCert)

Thanks for the patch.

You may want to be more specific about which problem you are 
trying to solve.  In particular, all root and intermediate 
certificates are expected to be known on the server.  If they 
aren't for some reason, it might be a good idea to clarify why 
they aren't known or reconsider particular configuration.

[...]

> +    p = s->data;
> +
> +    for (i = 0; i < cert_chain.len - 1; i++) {
> +        *p++ = cert_chain.data[i];
> +        if (cert_chain.data[i] == LF) {
> +            *p++ = '\t';
> +        }

Just a side note: certainly we are not going to introduce new 
variables using this syntax.

Also it might be a good idea to fix various style issues in the 
patch, but probably it make sense to resolve the "why it should be 
needed" question first.

[...]

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list