[PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives
Maxim Dounin
mdounin at mdounin.ru
Fri Feb 7 10:58:18 UTC 2014
Hello!
On Thu, Feb 06, 2014 at 06:40:29PM -0800, Piotr Sikora wrote:
> Hey Maxim,
>
> > I think that automatic checking peer name is how it should work (I
> > believe examples above imply this, please let me know if you need
> > more clarification on the proposal above). Moreover, I think it
> > should complain if verify is on but checking isn't supported, and
> > ask administrator to explicitly switch off peer name check.
> >
> > I strongly disagree with the idea of verify being on by default
> > though, at least for now, it will break too many configurations.
> >
> > And I also think that there should be a way to at least switch off
> > SNI, and do this independently from peer verification.
>
> Got it, I mis-read your previous comment.
>
> To make sure we're on the same page:
> - proxy_ssl_name - complex value, defaults to $proxy_host,
> - proxy_ssl_verify - on / no_name / off (default) switch, verifies
> upstream's certificate and optionally checks that it matches value
> from proxy_ssl_name,
> - proxy_ssl_server_name - on (default) / off switch, sends value from
> proxy_ssl_name to SNI to upstream.
>
> I don't like adding proxy_ssl_verify_name directive just to configure
> the host checking logic. IMHO, it's part of the verification process
> and should be configureable via proxy_ssl_verify.
Well, there is no real difference, but I think that it would be
easier to use distinct flags instead. Note that it also matches
what Apache has:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername
By looking around you may also find various other flags in Apache
to control verification (like SSLProxyCheckPeerExpire). I suspect
eventually we may need to add at least some of them. Having all
this controlled in a single directive would be a pain.
My original suggestion is as follows:
proxy_ssl_name <value>
default: $proxy_host
complex value, controls a name used in SNI (if
enabled)
proxy_ssl_verify on|off
default: off
flag, controls if remote certificate verification is enabled
proxy_ssl_verify_name on|off
default: on
flag, controls if remote certificate verification needs to
check peer's name; must be explicitly switched off
if certificate verification is switched on, but
the name can't be checked due to too old OpenSSL
proxy_ssl_sni on|off
default: off (?)
flag, controls if SNI (Server Name Indication) will be used
while connecting to backends;
(I tend to think that "proxy_ssl_sni" is a better name compared to
"proxy_ssl_server_name", as Server Name Indication is usually
called SNI in various places.)
> I'm also not 100% convinced that we should allow users to configure
> proxy_ssl_name... Maybe just force it to $proxy_host?
Certainly we should. There are lots of configurations where
something like "proxy_set_header Host $host" is used to override
hostname in a request to upstream, and forcing $proxy_host as a
name for SNI and certificate verification would be a bad idea.
> Does it match your proposal or did I miss something?
Mostly, see above.
> Regarding complaining - do we want to re-implement X509_check_host()
> (from OpenSSL-1.0.2) or do we want to complain to virtually anybody
> that turns upstream SSL verification on?
Well, I think it would be fine to have some fallback for current
OpenSSL versions. But given amount of code it adds, I'm ok with
something simplified, up to unconditional rejection of all
certificates if OpenSSL isn't 1.0.2+, at least for now.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list