[PATCH] Add a no_verify option for SSL client authentication

Tom van der Woerdt info at tvdw.eu
Mon Aug 20 12:37:44 UTC 2012 

Hi Eric,

For the record, I'm not affiliated with nginx.

If I understand your message correctly, you've got a load balancer (or 
something similar) in front of nginx that already verifies the 
certificates. You simply don't want nginx to do all the double checking, 
or maybe you just don't want to store the keys on an application server.

A patch such as the one you supplied would be a major security hole (for 
those who don't know what they're doing, which nowadays is most people) 
while not offering much in return. What you describe can already be 
achieved by (for example) passing the cert's DN to the application 
server (and making sure the application server only accepts requests 
from your load balancer):

proxy_set_header X-SSL-DN $ssl_client_s_dn;

This would also take care of the required SSL connection between your 
load balancer and your application server, which could now simply be a 
http connection that is kept alive if it's on a private subnet. 
Significant performance boost that probably only requires minimal 
changes in your application.

I'm going to stick with my original recommendation: don't include it in 
nginx by default. While the patch might be very helpful in your specific 
case, it's going to be used by people who have no idea what they're 
doing as well, and that can be very dangerous. It has only one very 
specific use case (that's covered by other options in nginx) but many 
dangerous use cases. Maybe write it as a 3rd party module that does 
this, or publish it as a patch on your own site?

Tom


Op 8/20/12 2:12 PM, Eric O'Connor schreef:
> Tom,
>
> Your feedback is correct in the sense that if we were not performing
> certificate verification, it would be bad news. It is not applicable
> here, though.
>
> In my original email I noted that we are in fact performing
> certificate verification, it is simply not done in nginx code. Your
> security concerns are irrelevant for our application, since in both
> cases the certificate is cryptographically verified long before the
> request is passed to the application (this is exactly what happens if
> you do the verification in nginx code, so there is no
> security-relevant difference between the two approaches). They are
> also irrelevant for nginx in general, because "no_verify" is a fairly
> self explanatory option that will be very unlikely to be used
> accidentally.
>
> In light of your misunderstanding, I would ask that you please
> reconsider your recommendation.
>
> Eric O'Connor
>
>
> --
>
> Feedback: this is a bad idea and super bad practice. If you want to
> use client cert auth but don't verify them, you might just as well
> only have an input field with 'What's your name?' as the login page,
> no password field. You drop any security that client auth offers.
>
> Recommendation: don't include this patch in nginx. The only thing it
> does is create a massive security hole.
>
> Tom

More information about the nginx-devel mailing list