[PATCH] Mail: added support for SSL client certificate

Filipe Da Silva fdasilvayy at gmail.com
Mon Jun 16 20:22:54 UTC 2014 

Hi all.

I rework a bit the mail ssl client certificate patch on two points :
- Drop the AuthVerify header, as it is unhelpful.
- Add a new certificate fingerprint header, feature that was added
recently to http module.

Please find attached a new patch to add the "auth_http_client_cert" setting.
It allow now to configure which part(s) of the certificate will be
sent to the authentication backend script.

Comments, and review are welcomed.

Regards,
Filipe da Silva


2014-04-14 9:33 GMT+02:00 Franck Levionnois <flevionnois at gmail.com>:
> Hello,
>
> I forward Filipe's message, because it doesn't appear in forum's stack.
> I'm ok with the proposal.
>
> Kind Regards.
> Franck Levionnois.
>
>
> 2014-04-07 10:35 GMT+02:00 Filipe Da Silva <fdasilvayy at gmail.com>:
>
>> Hi,
>>
>> From the mail-auth-http module point of view, the Auth-Verify is a
>> trivial information.
>> Its value mostly depends of the current server configuration ( verify
>> setting ).
>> IMHO, it could be discard.
>>
>> About the various/duplicated headers related to the client
>> certificate, a smart solution
>> could be adding a   'auth_http_client_cert' setting.
>>
>> It could be either a kind of bit-field allowing to select the wanted
>> headers one by one or a log level.
>>
>> Bit-field doesn't seems to be a part of nginx configuration usages.
>> Instead, a short list of keywords could be defined, may be following
>> the OpenSSL display one:
>>    http://www.openssl.org/docs/apps/x509.html#DISPLAY_OPTIONS
>>
>> Or, the auth_http_client_cert log levels could be :
>> - none
>> - basic -> just the Certificate Subject
>> - detailed : Subject, Issuer
>> - complete : Subject, Issuer, sha1 hash
>> - full -> whole certificate
>> IMHO, 'detailled' should be the default settings, if not configured.
>>
>> Regards,
>> Filipe da Silva
>>
-------------- next part --------------
# HG changeset patch
# Parent cc921a930c4aa0db1dc642ac0ce977e5734e59e5
Mail: Add 'SSL client auth header fields' configuration setting

Added mail configuration directive : auth_http_client_cert
Possible values are: none, cert, subject, issuer, serial, fingerprint.
The 'none' option is exclusive to any other.

diff -r cc921a930c4a src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c	Fri Jan 24 16:26:16 2014 +0100
+++ b/src/mail/ngx_mail_auth_http_module.c	Mon Jun 16 21:59:52 2014 +0200
@@ -25,6 +25,7 @@ typedef struct {
 
     u_char                         *file;
     ngx_uint_t                      line;
+    ngx_uint_t                      cert_fields;
 } ngx_mail_auth_http_conf_t;
 
 
@@ -83,6 +84,27 @@ static char *ngx_mail_auth_http_header(n
     void *conf);
 
 
+#define NGX_MAIL_AUTH_HTTP_CERTIFICATE      0x0002
+#define NGX_MAIL_AUTH_HTTP_CERT_SUBJECT     0x0010
+#define NGX_MAIL_AUTH_HTTP_CERT_ISSUER      0x0020
+#define NGX_MAIL_AUTH_HTTP_CERT_SERIAL      0x0040
+#define NGX_MAIL_AUTH_HTTP_CERT_FINGERPRINT 0x0080
+
+#define NGX_MAIL_AUTH_HTTP_CERT_NONE        0x8000
+
+#define NGX_MAIL_AUTH_HTTP_CERT_DEFAULT    \
+    (NGX_MAIL_AUTH_HTTP_CERT_SUBJECT | NGX_MAIL_AUTH_HTTP_CERT_ISSUER)
+
+static ngx_conf_bitmask_t ngx_mail_auth_http_client_cert[] = {
+    { ngx_string("none"),           NGX_MAIL_AUTH_HTTP_CERT_NONE },
+    { ngx_string("cert"),           NGX_MAIL_AUTH_HTTP_CERTIFICATE },
+    { ngx_string("subject"),        NGX_MAIL_AUTH_HTTP_CERT_SUBJECT },
+    { ngx_string("issuer"),         NGX_MAIL_AUTH_HTTP_CERT_ISSUER },
+    { ngx_string("serial"),         NGX_MAIL_AUTH_HTTP_CERT_SERIAL },
+    { ngx_string("fingerprint"),    NGX_MAIL_AUTH_HTTP_CERT_FINGERPRINT },
+    { ngx_null_string, 0 }
+};
+
 static ngx_command_t  ngx_mail_auth_http_commands[] = {
 
     { ngx_string("auth_http"),
@@ -106,6 +128,13 @@ static ngx_command_t  ngx_mail_auth_http
       0,
       NULL },
 
+    { ngx_string("auth_http_client_cert"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,
+      ngx_conf_set_bitmask_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_auth_http_conf_t, cert_fields),
+      ngx_mail_auth_http_client_cert },
+
       ngx_null_command
 };
 
@@ -1189,30 +1218,52 @@ ngx_mail_auth_http_create_request(ngx_ma
     cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
 
 #if (NGX_MAIL_SSL)
-    if (s->connection->ssl) {
-        if (ngx_ssl_get_certificate_oneline(s->connection, pool,
-                                            &client_cert) != NGX_OK) {
-            return NULL;
+    if (s->connection->ssl && 
+        !(ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_NONE)) {
+
+        if (ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERTIFICATE) {
+            if (ngx_ssl_get_certificate_oneline(s->connection, pool,
+                                                &client_cert) != NGX_OK) {
+                return NULL;
+            }
+        } else {
+            client_cert.len = 0;
         }
 
-        if (ngx_ssl_get_subject_dn(s->connection, pool,
-                                   &client_subject) != NGX_OK) {
-            return NULL;
+        if (ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_SUBJECT) {
+            if (ngx_ssl_get_subject_dn(s->connection, pool,
+                                       &client_subject) != NGX_OK) {
+                return NULL;
+            }
+        } else {
+            client_subject.len = 0;
         }
 
-        if (ngx_ssl_get_issuer_dn(s->connection, pool,
-                                  &client_issuer) != NGX_OK) {
-            return NULL;
+        if (ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_ISSUER) {
+            if (ngx_ssl_get_issuer_dn(s->connection, pool,
+                                      &client_issuer) != NGX_OK) {
+                return NULL;
+            }
+        } else {
+            client_issuer.len = 0;
         }
 
-        if (ngx_ssl_get_serial_number(s->connection, pool,
-                                      &client_serial) != NGX_OK) {
-            return NULL;
+        if (ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_SERIAL) {
+            if (ngx_ssl_get_serial_number(s->connection, pool,
+                                          &client_serial) != NGX_OK) {
+                return NULL;
+            }
+        } else {
+            client_serial.len = 0;
         }
 
-        if (ngx_ssl_get_fingerprint(s->connection, pool,
-                                    &client_fingerprint) != NGX_OK) {
-            return NULL;
+        if (ahcf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_FINGERPRINT) {
+            if (ngx_ssl_get_fingerprint(s->connection, pool,
+                                        &client_fingerprint) != NGX_OK) {
+                return NULL;
+            }
+        } else {
+            client_fingerprint.len = 0;
         }
 
     } else {
@@ -1469,6 +1520,18 @@ ngx_mail_auth_http_merge_conf(ngx_conf_t
         }
     }
 
+	ngx_conf_merge_bitmask_value(conf->cert_fields, prev->cert_fields,
+                         (NGX_CONF_BITMASK_SET
+                          |NGX_MAIL_AUTH_HTTP_CERT_DEFAULT));
+
+    if ((conf->cert_fields & NGX_MAIL_AUTH_HTTP_CERT_NONE)
+        && conf->cert_fields != NGX_MAIL_AUTH_HTTP_CERT_NONE ) {
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "\"auth_http_client_cert none\" is an exclusive flag"
+                      "%s:%ui", conf->file, conf->line);
+        return NGX_CONF_ERROR;
+    }
+
     ngx_conf_merge_msec_value(conf->timeout, prev->timeout, 60000);
 
     if (conf->headers == NULL) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Mail-SSL-MutualAuthentification.patch
Type: text/x-diff
Size: 14324 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140616/f868ad63/attachment-0001.bin>

More information about the nginx-devel mailing list