[PATCH] Add a no_verify option for SSL client authentication
Tom van der Woerdt
info at tvdw.eu
Mon Aug 20 12:37:44 UTC 2012
Hi Eric,
For the record, I'm not affiliated with nginx.
If I understand your message correctly, you've got a load balancer (or
something similar) in front of nginx that already verifies the
certificates. You simply don't want nginx to do all the double checking,
or maybe you just don't want to store the keys on an application server.
A patch such as the one you supplied would be a major security hole (for
those who don't know what they're doing, which nowadays is most people)
while not offering much in return. What you describe can already be
achieved by (for example) passing the cert's DN to the application
server (and making sure the application server only accepts requests
from your load balancer):
proxy_set_header X-SSL-DN $ssl_client_s_dn;
This would also take care of the required SSL connection between your
load balancer and your application server, which could now simply be a
http connection that is kept alive if it's on a private subnet.
Significant performance boost that probably only requires minimal
changes in your application.
I'm going to stick with my original recommendation: don't include it in
nginx by default. While the patch might be very helpful in your specific
case, it's going to be used by people who have no idea what they're
doing as well, and that can be very dangerous. It has only one very
specific use case (that's covered by other options in nginx) but many
dangerous use cases. Maybe write it as a 3rd party module that does
this, or publish it as a patch on your own site?
Tom
Op 8/20/12 2:12 PM, Eric O'Connor schreef:
> Tom,
>
> Your feedback is correct in the sense that if we were not performing
> certificate verification, it would be bad news. It is not applicable
> here, though.
>
> In my original email I noted that we are in fact performing
> certificate verification, it is simply not done in nginx code. Your
> security concerns are irrelevant for our application, since in both
> cases the certificate is cryptographically verified long before the
> request is passed to the application (this is exactly what happens if
> you do the verification in nginx code, so there is no
> security-relevant difference between the two approaches). They are
> also irrelevant for nginx in general, because "no_verify" is a fairly
> self explanatory option that will be very unlikely to be used
> accidentally.
>
> In light of your misunderstanding, I would ask that you please
> reconsider your recommendation.
>
> Eric O'Connor
>
>
> --
>
> Feedback: this is a bad idea and super bad practice. If you want to
> use client cert auth but don't verify them, you might just as well
> only have an input field with 'What's your name?' as the login page,
> no password field. You drop any security that client auth offers.
>
> Recommendation: don't include this patch in nginx. The only thing it
> does is create a massive security hole.
>
> Tom
More information about the nginx-devel
mailing list