[PATCH] SSL: support for client proxy certificates

Francesco Giacomini francesco.giacomini at cnaf.infn.it
Mon Mar 18 15:39:38 UTC 2019


Hello.

Thanks for the quick reply.

On Mon, Mar 18, 2019 at 06:08:28PM +0300, Maxim Dounin wrote:
> On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:
> 
> > # HG changeset patch
> > # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> > # Date 1552665342 -3600
> > #      Fri Mar 15 16:55:42 2019 +0100
> > # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> > # Parent  c74904a1702135f673a275bd0d36f010a3bfb89a
> > SSL: support for client proxy certificates
> > 
> > Add the option ssl_allow_proxy_certs to allow client authentication
> > through X.509 proxy certificates (RFC 3820).
> > 
> > It used to be possible by setting the environment variable
> > OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> > done programmatically.
> 
> Thanks for the patch.

Thanks for nginx.

> Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:
> 
> : For these reasons, OpenSSL requires that the use of proxy certificates be
> : explicitly allowed.  Currently, this can be done using the following methods:
> : 
> : - if the application directly calls X509_verify_cert(), it can first call:
> : 
> :   X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
> : 
> :   Where ctx is the pointer which then gets passed to X509_verify_cert().
> : 
> : - proxy certificate validation can be enabled before starting the application
> :   by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
> : 
> : In the future, it might be possible to enable proxy certificates by editing
> : openssl.cnf.
>
> Since nginx does not call X509_verify_cert() directly, the only 
> documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS 
> environment variable.

I think they simply forgot to change the documentation.

> If this functionality is important for you, and given that the 
> documented approach no longer works, have you considered filing a 
> bug to the OpenSSL team?  It looks like at least one already 
> exists, though lacks proper description of the problem:
> 
> https://github.com/openssl/openssl/issues/8177
> 
> I'm also a bit sceptical about the how proxy certificates are 
> common and if these needs to be supported by nginx, given that 
> there is still no support even in openssl.cnf.

As far as I know, proxy certificates were introduced as the basic
mechanism for authN and authZ in Grid computing, where they are still
widely used. It may well be that's the only field though. Indeed also
the submitter of that issue is in that field.

I didn't consider asking OpenSSL to revert their commit; I tend to
agree with their comment that using an environment variable is a hack.

Said that, I don't insist that this patch gets merged if you don't see
it of general enough use. In fact I have an alternative solution
implemented in a module I've written, which consists more or less in
the following:

static char* ngx_http_mymodule_merge_srv_conf(ngx_conf_t* cf, void*, void*)
{
  ngx_http_ssl_srv_conf_t* conf = 
      ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);

  if (conf->ssl.ctx != NULL) {
      X509_STORE *store = SSL_CTX_get_cert_store(conf->ssl.ctx);
      X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
  }

  return NGX_CONF_OK;
}

I would appreciate if you could tell me if it is viable; I'm not
really an expert in nginx development.

F.


More information about the nginx-devel mailing list