New SSL features for Nginx.

Igor Sysoev is at rambler-co.ru
Wed Jul 22 12:44:22 MSD 2009


On Tue, Jul 21, 2009 at 08:02:05PM +0200, Brice Figureau wrote:

> Hi,
> 
> For Puppet[1] Nginx deployement (that is using Nginx as a front-end 
> load-balancers to puppetmasters[2]), I had to create the following two 
> patches, to match Apache behaviour:
> 
>  * The first patch allows:
>   + a new variant of ssl_client_verify: optional. In this mode, if the 
> client sends a certificate it is verified, but if the client doesn't 
> send a certificate, the connection is authorized too.
> 
>   + a new variable: $ssl_client_verify which contains, either NONE, 
> SUCCESS or FAILURE depending on the verification status. It can be used 
> to send information to the upstream about the client verification.
> 
>  * The second patch adds CRL support to the client certificate 
> verification:
> 
>   ssl_crl /path/to/crl.pem;
> 
>  Nginx then verifies the client certificate hasn't been revoked in the 
> given CRL before allowing the connection to proceed.
> 
> For access to the patches, please see my last blog article:
> http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
> 
> It would be great if those patches could be merged in the official Nginx 
> source tree.

Thank you, I have looked the patches, it was really surpise for me that
OpenSSL 0.9.7 supports CRL. I read in old enough book "Network Security
with OpenSSL" written when 0.9.7 was being developed, that OpenSSL has
no built-in CRL support. Then I have looked in Apache's mod_ssl sources and
its CRL support seemed to me very heavy: mod_ssl does a lot of useless
operations. I think that it's enough to store hash of only public key of
all CRL certificates (including intermediate ones). Have you looked
how CRL is implemented in OpenSSL ?


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list