[PATCH] SSL: support for client proxy certificates
Maxim Dounin
mdounin at mdounin.ru
Mon Mar 18 16:29:38 UTC 2019
Hello!
On Mon, Mar 18, 2019 at 04:39:38PM +0100, Francesco Giacomini wrote:
> Hello.
>
> Thanks for the quick reply.
>
> On Mon, Mar 18, 2019 at 06:08:28PM +0300, Maxim Dounin wrote:
> > On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:
> >
> > > # HG changeset patch
> > > # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> > > # Date 1552665342 -3600
> > > # Fri Mar 15 16:55:42 2019 +0100
> > > # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> > > # Parent c74904a1702135f673a275bd0d36f010a3bfb89a
> > > SSL: support for client proxy certificates
> > >
> > > Add the option ssl_allow_proxy_certs to allow client authentication
> > > through X.509 proxy certificates (RFC 3820).
> > >
> > > It used to be possible by setting the environment variable
> > > OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> > > done programmatically.
> >
> > Thanks for the patch.
>
> Thanks for nginx.
>
> > Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:
> >
> > : For these reasons, OpenSSL requires that the use of proxy certificates be
> > : explicitly allowed. Currently, this can be done using the following methods:
> > :
> > : - if the application directly calls X509_verify_cert(), it can first call:
> > :
> > : X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
> > :
> > : Where ctx is the pointer which then gets passed to X509_verify_cert().
> > :
> > : - proxy certificate validation can be enabled before starting the application
> > : by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
> > :
> > : In the future, it might be possible to enable proxy certificates by editing
> > : openssl.cnf.
> >
> > Since nginx does not call X509_verify_cert() directly, the only
> > documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS
> > environment variable.
>
> I think they simply forgot to change the documentation.
Well, this is likely what indeed happened. But either way there
is a bug in OpenSSL: either the code or the documentation is
wrong. And, given the number of recent cases with OpenSSL
changes, I really want them to decide it themselves where the bug
is.
Note well that the documentation never mentions that the
environment variable is a hack and properly written programs which
simply use client certificate authentication as with
SSL_CTX_set_verify(SSL_VERIFY_PEER) should use
X509_STORE_CTX_set_flags(X509_V_FLAG_ALLOW_PROXY_CERTS) instead.
Instead, it specifically mentions that OPENSSL_ALLOW_PROXY_CERTS
should be used in this case, providing no other alternatives.
This makes removing the OPENSSL_ALLOW_PROXY_CERTS environment
variable support highly questionable from compatibility point of
view, since no application could foresee it will be removed.
> > If this functionality is important for you, and given that the
> > documented approach no longer works, have you considered filing a
> > bug to the OpenSSL team? It looks like at least one already
> > exists, though lacks proper description of the problem:
> >
> > https://github.com/openssl/openssl/issues/8177
> >
> > I'm also a bit sceptical about the how proxy certificates are
> > common and if these needs to be supported by nginx, given that
> > there is still no support even in openssl.cnf.
>
> As far as I know, proxy certificates were introduced as the basic
> mechanism for authN and authZ in Grid computing, where they are still
> widely used. It may well be that's the only field though. Indeed also
> the submitter of that issue is in that field.
Thanks for the details. Indeed it looks like these are only used
in Grid computing. It would be interesting to hear how nginx is
used in such workloads.
> I didn't consider asking OpenSSL to revert their commit; I tend to
> agree with their comment that using an environment variable is a hack.
>
> Said that, I don't insist that this patch gets merged if you don't see
> it of general enough use. In fact I have an alternative solution
> implemented in a module I've written, which consists more or less in
> the following:
>
> static char* ngx_http_mymodule_merge_srv_conf(ngx_conf_t* cf, void*, void*)
> {
> ngx_http_ssl_srv_conf_t* conf =
> ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
>
> if (conf->ssl.ctx != NULL) {
> X509_STORE *store = SSL_CTX_get_cert_store(conf->ssl.ctx);
> X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
> }
>
> return NGX_CONF_OK;
> }
>
> I would appreciate if you could tell me if it is viable; I'm not
> really an expert in nginx development.
This approach may have problems with further nginx changes, but
likely it will work good enough.
For maximum compatibility, my recommendation would be to ask
OpenSSL to introduce an openssl.cnf option, so you will be able to
configure things via openssl.cnf.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list