[PATCH] Add a no_verify option for SSL client authentication

Eric O'Connor eoconnor at coincident.com
Mon Aug 20 12:12:44 UTC 2012


Tom,

Your feedback is correct in the sense that if we were not performing
certificate verification, it would be bad news. It is not applicable
here, though.

In my original email I noted that we are in fact performing
certificate verification, it is simply not done in nginx code. Your
security concerns are irrelevant for our application, since in both
cases the certificate is cryptographically verified long before the
request is passed to the application (this is exactly what happens if
you do the verification in nginx code, so there is no
security-relevant difference between the two approaches). They are
also irrelevant for nginx in general, because "no_verify" is a fairly
self explanatory option that will be very unlikely to be used
accidentally.

In light of your misunderstanding, I would ask that you please
reconsider your recommendation.

Eric O'Connor


--

Feedback: this is a bad idea and super bad practice. If you want to
use client cert auth but don't verify them, you might just as well
only have an input field with 'What's your name?' as the login page,
no password field. You drop any security that client auth offers.

Recommendation: don't include this patch in nginx. The only thing it
does is create a massive security hole.

Tom



More information about the nginx-devel mailing list