[PATCH] SSL: support for client proxy certificates

Maxim Dounin mdounin at mdounin.ru
Mon Mar 18 16:29:38 UTC 2019 

Hello!

On Mon, Mar 18, 2019 at 04:39:38PM +0100, Francesco Giacomini wrote:

> Hello.
> 
> Thanks for the quick reply.
> 
> On Mon, Mar 18, 2019 at 06:08:28PM +0300, Maxim Dounin wrote:
> > On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:
> > 
> > > # HG changeset patch
> > > # User Francesco Giacomini <francesco.giacomini at cnaf.infn.it>
> > > # Date 1552665342 -3600
> > > #      Fri Mar 15 16:55:42 2019 +0100
> > > # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665
> > > # Parent  c74904a1702135f673a275bd0d36f010a3bfb89a
> > > SSL: support for client proxy certificates
> > > 
> > > Add the option ssl_allow_proxy_certs to allow client authentication
> > > through X.509 proxy certificates (RFC 3820).
> > > 
> > > It used to be possible by setting the environment variable
> > > OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be
> > > done programmatically.
> > 
> > Thanks for the patch.
> 
> Thanks for nginx.
> 
> > Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say:
> > 
> > : For these reasons, OpenSSL requires that the use of proxy certificates be
> > : explicitly allowed.  Currently, this can be done using the following methods:
> > : 
> > : - if the application directly calls X509_verify_cert(), it can first call:
> > : 
> > :   X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
> > : 
> > :   Where ctx is the pointer which then gets passed to X509_verify_cert().
> > : 
> > : - proxy certificate validation can be enabled before starting the application
> > :   by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
> > : 
> > : In the future, it might be possible to enable proxy certificates by editing
> > : openssl.cnf.
> >
> > Since nginx does not call X509_verify_cert() directly, the only 
> > documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS 
> > environment variable.
> 
> I think they simply forgot to change the documentation.

Well, this is likely what indeed happened.  But either way there 
is a bug in OpenSSL: either the code or the documentation is 
wrong.  And, given the number of recent cases with OpenSSL 
changes, I really want them to decide it themselves where the bug 
is.

Note well that the documentation never mentions that the 
environment variable is a hack and properly written programs which 
simply use client certificate authentication as with 
SSL_CTX_set_verify(SSL_VERIFY_PEER) should use 
X509_STORE_CTX_set_flags(X509_V_FLAG_ALLOW_PROXY_CERTS) instead.  
Instead, it specifically mentions that OPENSSL_ALLOW_PROXY_CERTS 
should be used in this case, providing no other alternatives.  
This makes removing the OPENSSL_ALLOW_PROXY_CERTS environment 
variable support highly questionable from compatibility point of 
view, since no application could foresee it will be removed.

> > If this functionality is important for you, and given that the 
> > documented approach no longer works, have you considered filing a 
> > bug to the OpenSSL team?  It looks like at least one already 
> > exists, though lacks proper description of the problem:
> > 
> > https://github.com/openssl/openssl/issues/8177
> > 
> > I'm also a bit sceptical about the how proxy certificates are 
> > common and if these needs to be supported by nginx, given that 
> > there is still no support even in openssl.cnf.
> 
> As far as I know, proxy certificates were introduced as the basic
> mechanism for authN and authZ in Grid computing, where they are still
> widely used. It may well be that's the only field though. Indeed also
> the submitter of that issue is in that field.

Thanks for the details.  Indeed it looks like these are only used 
in Grid computing.  It would be interesting to hear how nginx is 
used in such workloads.

> I didn't consider asking OpenSSL to revert their commit; I tend to
> agree with their comment that using an environment variable is a hack.
> 
> Said that, I don't insist that this patch gets merged if you don't see
> it of general enough use. In fact I have an alternative solution
> implemented in a module I've written, which consists more or less in
> the following:
> 
> static char* ngx_http_mymodule_merge_srv_conf(ngx_conf_t* cf, void*, void*)
> {
>   ngx_http_ssl_srv_conf_t* conf = 
>       ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
> 
>   if (conf->ssl.ctx != NULL) {
>       X509_STORE *store = SSL_CTX_get_cert_store(conf->ssl.ctx);
>       X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
>   }
> 
>   return NGX_CONF_OK;
> }
> 
> I would appreciate if you could tell me if it is viable; I'm not
> really an expert in nginx development.

This approach may have problems with further nginx changes, but 
likely it will work good enough.

For maximum compatibility, my recommendation would be to ask 
OpenSSL to introduce an openssl.cnf option, so you will be able to 
configure things via openssl.cnf.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list