[PATCH] mail_{ssl, auth_http}_module: add support for SSL client certificates

Filipe Da Silva fdasilvayy at gmail.com
Mon Jan 13 12:09:02 UTC 2014 

Hi.

Some remarks about your patch .

2014/1/13  <nginx-devel-request at nginx.org>:
> From: Sven Peter <sven at ha.cki.ng>
> To: nginx-devel at nginx.org
> Subject: [PATCH] mail_{ssl, auth_http}_module: add support for SSL
>         client certificates
> Message-ID: <8744640301ae0f7d4c16.1389608966 at 123.fritz.box>
> Content-Type: text/plain; charset="us-ascii"
>
> # HG changeset patch
> # User Sven Peter <sven at ha.cki.ng>
> # Date 1389607375 -3600
> #      Mon Jan 13 11:02:55 2014 +0100
> # Node ID 8744640301ae0f7d4c16108e68c9ae6eb60f2213
> # Parent  4aa64f6950313311e0d322a2af1788edeb7f036c
> mail_{ssl,auth_http}_module: add support for SSL client certificates
>
> This patch adds support for SSL client certificates to the mail proxy
> capabilities of nginx both for STARTTLS and SSL mode.
> Just like the HTTP SSL module a root CA is defined in the mail section
> of the configuration file. Verification can be optional or mandatory.
> Additionally, the result of the verification is exposed to the
> auth http backend via the SSL-Verify, SSL-Subject-DN and SSL-Issuer-DN
> HTTP headers.
>
> diff -r 4aa64f695031 -r 8744640301ae src/mail/ngx_mail_auth_http_module.c
> --- a/src/mail/ngx_mail_auth_http_module.c      Sat Jan 04 03:32:22 2014 +0400
> +++ b/src/mail/ngx_mail_auth_http_module.c      Mon Jan 13 11:02:55 2014 +0100
> @@ -1144,6 +1144,11 @@
>      ngx_buf_t                 *b;
>      ngx_str_t                  login, passwd;
>      ngx_mail_core_srv_conf_t  *cscf;
> +    ngx_str_t ssl_client_verify = {0, NULL};
> +    ngx_str_t ssl_client_raw_s_dn = {0, NULL};
> +    ngx_str_t ssl_client_raw_i_dn = {0, NULL};
> +    ngx_str_t ssl_client_s_dn = {0, NULL};
> +    ngx_str_t ssl_client_i_dn = {0, NULL};

This kind of initialization is not part in the nginx coding style.

>
>      if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) {
>          return NULL;
> @@ -1153,6 +1158,29 @@
>          return NULL;
>      }
>
> +    // ssl_client_verify doesn't need to be escaped since it comes from nginx itself
> +#if (NGX_MAIL_SSL)
> +    ngx_ssl_get_client_verify(s->connection, pool, &ssl_client_verify);
> +    ngx_ssl_get_subject_dn(s->connection, pool, &ssl_client_s_dn);
> +    ngx_ssl_get_subject_dn(s->connection, pool, &ssl_client_i_dn);

Twice call to ngx_ssl_get_subject_dn : Copy-paste issue ?

...

Regards,
FDS

More information about the nginx-devel mailing list