How to contribute fix for checking x509 extended key attrs to nginx?

Ethan Rahn erahn at arista.com
Tue Jan 10 23:41:14 UTC 2017


Hello,

I noticed that nginx does not check x509v3 certificates ( in
event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see
that the optional extended key usage settings are correct. I have a patch
for this that I would like to contribute, but I'm unable to find
contribution guidelines on the nginx web-site.

The effect of this issue is that someone could offer a client certificate
that has extended key usage set to say, serverAuth. This would be a
violation of RFC 5280 - Section 4.2.1.12. I fix this by checking the
bitfield manually to see that the settings are correct.

Cheers,

Ethan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170110/833c9d05/attachment.html>


More information about the nginx-devel mailing list