[PATCH] SSL: support for client proxy certificates
Francesco Giacomini
francesco.giacomini at cnaf.infn.it
Mon Mar 18 10:53:52 UTC 2019
# HG changeset patch
# User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
# Date 1552665342 -3600
# Fri Mar 15 16:55:42 2019 +0100
# Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
# Parent c74904a1702135f673a275bd0d36f010a3bfb89a
SSL: support for client proxy certificates
Add the option ssl_allow_proxy_certs to allow client authentication
through X.509 proxy certificates (RFC 3820).
It used to be possible by setting the environment variable
OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
done programmatically.
diff -r c74904a17021 -r 0b5d82532ea5 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Sat Mar 09 03:03:56 2019 +0300
+++ b/contrib/vim/syntax/nginx.vim Fri Mar 15 16:55:42 2019 +0100
@@ -581,6 +581,7 @@
syn keyword ngxDirective contained ssi_silent_errors
syn keyword ngxDirective contained ssi_types
syn keyword ngxDirective contained ssi_value_length
+syn keyword ngxDirective contained ssl_allow_proxy_certs
syn keyword ngxDirective contained ssl_buffer_size
syn keyword ngxDirective contained ssl_certificate
syn keyword ngxDirective contained ssl_certificate_key
diff -r c74904a17021 -r 0b5d82532ea5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Sat Mar 09 03:03:56 2019 +0300
+++ b/src/event/ngx_event_openssl.c Fri Mar 15 16:55:42 2019 +0100
@@ -1471,6 +1471,29 @@
ngx_int_t
+ngx_ssl_allow_proxy_certs(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
+{
+ X509_STORE *store;
+
+ if (!enable) {
+ return NGX_OK;
+ }
+
+ store = SSL_CTX_get_cert_store(ssl->ctx);
+
+ if (store == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_get_cert_store() failed");
+ return NGX_ERROR;
+ }
+
+ X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
{
if (!enable) {
diff -r c74904a17021 -r 0b5d82532ea5 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Sat Mar 09 03:03:56 2019 +0300
+++ b/src/event/ngx_event_openssl.h Fri Mar 15 16:55:42 2019 +0100
@@ -180,6 +180,8 @@
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
+ngx_int_t ngx_ssl_allow_proxy_certs(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_uint_t enable);
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length);
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
diff -r c74904a17021 -r 0b5d82532ea5 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Sat Mar 09 03:03:56 2019 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Fri Mar 15 16:55:42 2019 +0100
@@ -249,6 +249,13 @@
offsetof(ngx_http_ssl_srv_conf_t, early_data),
NULL },
+ { ngx_string("ssl_allow_proxy_certs"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, allow_proxy_certs),
+ NULL },
+
ngx_null_command
};
@@ -580,6 +587,7 @@
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->allow_proxy_certs = NGX_CONF_UNSET;
return sscf;
}
@@ -647,6 +655,8 @@
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
+ ngx_conf_merge_value(conf->allow_proxy_certs, prev->allow_proxy_certs, 0);
+
conf->ssl.log = cf->log;
if (conf->enable) {
@@ -857,6 +867,10 @@
return NGX_CONF_ERROR;
}
+ if (ngx_ssl_allow_proxy_certs(cf, &conf->ssl, conf->allow_proxy_certs) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}
diff -r c74904a17021 -r 0b5d82532ea5 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Sat Mar 09 03:03:56 2019 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h Fri Mar 15 16:55:42 2019 +0100
@@ -59,6 +59,8 @@
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
+ ngx_flag_t allow_proxy_certs;
+
u_char *file;
ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;
More information about the nginx-devel
mailing list