[PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives

Fri Feb 7 10:58:18 UTC 2014

Hello!

On Thu, Feb 06, 2014 at 06:40:29PM -0800, Piotr Sikora wrote:

> Hey Maxim,
> 
> > I think that automatic checking peer name is how it should work (I
> > believe examples above imply this, please let me know if you need
> > more clarification on the proposal above).  Moreover, I think it
> > should complain if verify is on but checking isn't supported, and
> > ask administrator to explicitly switch off peer name check.
> >
> > I strongly disagree with the idea of verify being on by default
> > though, at least for now, it will break too many configurations.
> >
> > And I also think that there should be a way to at least switch off
> > SNI, and do this independently from peer verification.
> 
> Got it, I mis-read your previous comment.
> 
> To make sure we're on the same page:
> - proxy_ssl_name - complex value, defaults to $proxy_host,
> - proxy_ssl_verify - on / no_name / off (default) switch, verifies
> upstream's certificate and optionally checks that it matches value
> from proxy_ssl_name,
> - proxy_ssl_server_name - on (default) / off switch, sends value from
> proxy_ssl_name to SNI to upstream.
> 
> I don't like adding proxy_ssl_verify_name directive just to configure
> the host checking logic. IMHO, it's part of the verification process
> and should be configureable via proxy_ssl_verify.

Well, there is no real difference, but I think that it would be 
easier to use distinct flags instead.  Note that it also matches 
what Apache has:

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

By looking around you may also find various other flags in Apache 
to control verification (like SSLProxyCheckPeerExpire).  I suspect 
eventually we may need to add at least some of them.  Having all 
this controlled in a single directive would be a pain.

My original suggestion is as follows:

proxy_ssl_name <value>

    default: $proxy_host
    complex value, controls a name used in SNI (if 
    enabled)

proxy_ssl_verify on|off

    default: off
    flag, controls if remote certificate verification is enabled

proxy_ssl_verify_name on|off

    default: on
    flag, controls if remote certificate verification needs to 
    check peer's name;  must be explicitly switched off
    if certificate verification is switched on, but
    the name can't be checked due to too old OpenSSL

proxy_ssl_sni on|off

    default: off (?)
    flag, controls if SNI (Server Name Indication) will be used
    while connecting to backends;

(I tend to think that "proxy_ssl_sni" is a better name compared to 
"proxy_ssl_server_name", as Server Name Indication is usually 
called SNI in various places.)

> I'm also not 100% convinced that we should allow users to configure
> proxy_ssl_name... Maybe just force it to $proxy_host?

Certainly we should.  There are lots of configurations where 
something like "proxy_set_header Host $host" is used to override 
hostname in a request to upstream, and forcing $proxy_host as a 
name for SNI and certificate verification would be a bad idea.

> Does it match your proposal or did I miss something?

Mostly, see above.

> Regarding complaining - do we want to re-implement X509_check_host()
> (from OpenSSL-1.0.2) or do we want to complain to virtually anybody
> that turns upstream SSL verification on?

Well, I think it would be fine to have some fallback for current 
OpenSSL versions.  But given amount of code it adds, I'm ok with 
something simplified, up to unconditional rejection of all 
certificates if OpenSSL isn't 1.0.2+, at least for now.

-- 
Maxim Dounin
http://nginx.org/