Proposed changeset to fix client cert from ngx_ssl_get_certificate passed as HTTP header value
Maxim Dounin
mdounin at mdounin.ru
Fri Feb 5 15:58:12 UTC 2016
Hello!
On Thu, Feb 04, 2016 at 01:38:48PM -0800, Sam McKelvie wrote:
> I think it is your call if you want to make a breaking change to
> $ssl_client_cert to URL encode it; I'd be happy to submit the
> changeset if you would approve that, but I personally don't feel
> comfortable breaking any existing applications that parse/decode the
> certificate.
No, certainly not something I want to be done.
> So my suggestion now is to define a new $ssl_client_cert_url_encoded
> variable that is the URL-encoded form of the raw PEM certificate. With
> your approval I will submit a changeset for that...
Yes, adding a variable with an URL-escaped versions looks like a
way to go. I disagree with the name you suggest though, I think
that something like $ssl_client_escaped_cert would be more in line
with $ssl_client_cert and $ssl_client_raw_cert variables we
currently have and the ngx_escape_uri() function nginx uses
internally.
Some more background. As of now we have:
- $ssl_client_raw_cert - client cert in PEM format
- $ssl_client_cert - client cert in PEM format with \t added
At some distant point in the future we probably want to have:
- $ssl_client_cert - client cert in PEM format
- a way to urlescape() things, see
https://trac.nginx.org/nginx/ticket/52
At this point, an escaped version of the client cert will be
available as something like ${urlescape($ssl_client_cert)}. All
uses of client cert with tabs are expected to disappear. There
are a couple of problems though:
- there are existing uses of $ssl_client_cert and
$ssl_client_raw_cert, breaking them would be bad;
- we don't have urlescape() function in configs, and probably
won't have it in a near future.
So we have to figure out some migration plan, e.g.:
- introduce $ssl_client_escaped_cert, with urlescaped PEM cert;
- introduce $ssl_client_tabbed_cert as an alias to
$ssl_client_cert (with PEM cert with tabs);
- change $ssl_client_cert back to be raw cert (preserving
$ssl_client_raw_cert as a deprecated alias for some time);
- do something with $ssl_client_tabbed_cert at some point, not
sure;
- once urlescape() functionality is added, deprecate
$ssl_client_escaped_cert, suggesting to use
urlescape($ssl_client_cert) instead.
Not sure if it's an optimal plan and if we are actually going to
follow it, but introducing $ssl_client_escaped_cert looks like a
more or less obvious 1st step, at least if we don't expect
urlescape() to appear in the near future.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list