[PATCH] Add a no_verify option for SSL client authentication

Tom van der Woerdt info at tvdw.eu
Mon Aug 20 07:46:22 UTC 2012


Feedback: this is a bad idea and super bad practice. If you want to use client cert auth but don't verify them, you might just as well only have an input field with 'What's your name?' as the login page, no password field. You drop any security that client auth offers. 

Recommendation: don't include this patch in nginx. The only thing it does is create a massive security hole. 

Tom


Verstuurd vanaf mijn iPhone

Op 18 aug. 2012 om 17:48 heeft Eric O'Connor <eoconnor at coincident.com> het volgende geschreven:

> Hello Nginx,
> 
> This patch adds a "ssl_verify_client no_verify;" option that triggers
> a client to upload a certificate, but does not throw an exception when
> that certificate does not validate. It also allows
> "ssl_client_certificate" to not exist when this option is specified.
> 
> This is useful for our company's application where we would like to do
> SSL client authentication on an application server.
> 
> Any feedback is welcome.
> 
> ~ Eric O'Connor
> 
> ---
> src/http/modules/ngx_http_ssl_module.c |    3 ++-
> src/http/ngx_http_request.c            |    2 +-
> 2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/src/http/modules/ngx_http_ssl_module.c
> b/src/http/modules/ngx_http_ssl_module.c
> index d759489..fede8e0 100644
> --- a/src/http/modules/ngx_http_ssl_module.c
> +++ b/src/http/modules/ngx_http_ssl_module.c
> @@ -48,6 +48,7 @@ static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
>     { ngx_string("off"), 0 },
>     { ngx_string("on"), 1 },
>     { ngx_string("optional"), 2 },
> +    { ngx_string("no_verify"), 3 },
>     { ngx_null_string, 0 }
> };
> 
> @@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void
> *parent, void *child)
> 
>     if (conf->verify) {
> 
> -        if (conf->client_certificate.len == 0) {
> +        if (conf->client_certificate.len == 0 && conf->verify != 3) {
>             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
>                           "no ssl_client_certificate for
> ssl_client_verify");
>             return NGX_CONF_ERROR;
> diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
> index c104db1..5d02683 100644
> --- a/src/http/ngx_http_request.c
> +++ b/src/http/ngx_http_request.c
> @@ -1634,7 +1634,7 @@ ngx_http_process_request(ngx_http_request_t *r)
>         if (sscf->verify) {
>             rc = SSL_get_verify_result(c->ssl->connection);
> 
> -            if (rc != X509_V_OK) {
> +            if (sscf->verify != 3 && rc != X509_V_OK) {
>                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
>                               "client SSL certificate verify error:
> (%l:%s)",
>                               rc, X509_verify_cert_error_string(rc));
> --
> 
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel



More information about the nginx-devel mailing list