How to contribute fix for checking x509 extended key attrs to nginx?

Maxim Dounin mdounin at
Wed Jan 11 14:02:12 UTC 2017


On Tue, Jan 10, 2017 at 03:41:14PM -0800, Ethan Rahn via nginx-devel wrote:

> Hello,
> I noticed that nginx does not check x509v3 certificates ( in
> event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see
> that the optional extended key usage settings are correct. I have a patch
> for this that I would like to contribute, but I'm unable to find
> contribution guidelines on the nginx web-site.
> The effect of this issue is that someone could offer a client certificate
> that has extended key usage set to say, serverAuth. This would be a
> violation of RFC 5280 - Section I fix this by checking the
> bitfield manually to see that the settings are correct.

Note that nginx relies on OpenSSL to verify certificates, and 
checking things manually might not be a good idea.  If you think 
that somthing is missing, a better solution might be to improve 
OpenSSL checking instead.

Maxim Dounin

More information about the nginx-devel mailing list