[PATCH] SSL: support for client proxy certificates

Maxim Dounin mdounin at mdounin.ru
Mon Mar 18 15:08:28 UTC 2019


On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:

> # HG changeset patch
> # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> # Date 1552665342 -3600
> #      Fri Mar 15 16:55:42 2019 +0100
> # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> # Parent  c74904a1702135f673a275bd0d36f010a3bfb89a
> SSL: support for client proxy certificates
> Add the option ssl_allow_proxy_certs to allow client authentication
> through X.509 proxy certificates (RFC 3820).
> It used to be possible by setting the environment variable
> OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> done programmatically.

Thanks for the patch.

Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:

: For these reasons, OpenSSL requires that the use of proxy certificates be
: explicitly allowed.  Currently, this can be done using the following methods:
: - if the application directly calls X509_verify_cert(), it can first call:
:   X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
:   Where ctx is the pointer which then gets passed to X509_verify_cert().
: - proxy certificate validation can be enabled before starting the application
:   by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
: In the future, it might be possible to enable proxy certificates by editing
: openssl.cnf.

Since nginx does not call X509_verify_cert() directly, the only 
documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS 
environment variable.

If this functionality is important for you, and given that the 
documented approach no longer works, have you considered filing a 
bug to the OpenSSL team?  It looks like at least one already 
exists, though lacks proper description of the problem:


I'm also a bit sceptical about the how proxy certificates are 
common and if these needs to be supported by nginx, given that 
there is still no support even in openssl.cnf.

Maxim Dounin

More information about the nginx-devel mailing list