[PATCH] SSL: support for client proxy certificates

Maxim Dounin mdounin at mdounin.ru
Mon Mar 18 15:08:28 UTC 2019 

Hello!

On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:

> # HG changeset patch
> # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> # Date 1552665342 -3600
> #      Fri Mar 15 16:55:42 2019 +0100
> # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> # Parent  c74904a1702135f673a275bd0d36f010a3bfb89a
> SSL: support for client proxy certificates
> 
> Add the option ssl_allow_proxy_certs to allow client authentication
> through X.509 proxy certificates (RFC 3820).
> 
> It used to be possible by setting the environment variable
> OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> done programmatically.

Thanks for the patch.

Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:

: For these reasons, OpenSSL requires that the use of proxy certificates be
: explicitly allowed.  Currently, this can be done using the following methods:
: 
: - if the application directly calls X509_verify_cert(), it can first call:
: 
:   X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
: 
:   Where ctx is the pointer which then gets passed to X509_verify_cert().
: 
: - proxy certificate validation can be enabled before starting the application
:   by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
: 
: In the future, it might be possible to enable proxy certificates by editing
: openssl.cnf.

Since nginx does not call X509_verify_cert() directly, the only 
documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS 
environment variable.

If this functionality is important for you, and given that the 
documented approach no longer works, have you considered filing a 
bug to the OpenSSL team?  It looks like at least one already 
exists, though lacks proper description of the problem:

https://github.com/openssl/openssl/issues/8177

I'm also a bit sceptical about the how proxy certificates are 
common and if these needs to be supported by nginx, given that 
there is still no support even in openssl.cnf.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list