[PATCH] SSL: add new variable $ssl_client_fingerprint_sha256

Andy Brody git at abrody.com
Tue Nov 19 17:08:18 UTC 2019

The existing $ssl_client_fingerprint uses SHA-1 to compute the certificate
digest. This is no longer considered secure. The CA/Browser forum voted to
sunset use of SHA1 in 2014, and all major CAs ceased issuing SHA1 certificates
at the end of 2015.

The first publicly known collision in the full SHA-1 was discovered in 2017.

NGINX users should be able to switch to SHA-256 for TLS client certificate
fingerprints. Ideally $ssl_client_fingerprint should be deprecated.

Add a new variable, $ssl_client_fingerprint_sha256, which uses SHA-256 instead.

Refactor ngx_ssl_get_fingerprint() into a new function
ngx_ssl_get_fingerprint_generic(), which accepts any OpenSSL digest function,
and add ngx_ssl_get_fingerprint_sha256().

 src/event/ngx_event_openssl.c          |  17 ++++++++++++++++-
 src/event/ngx_event_openssl.h          |   4 ++++
 src/http/modules/ngx_http_ssl_module.c |   3 +++
 src/stream/ngx_stream_ssl_module.c     |   3 +++
 4 files changed, 26 insertions(+), 1 deletions(-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx.patch
Type: text/x-patch
Size: 4179 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20191119/b8acd4de/attachment.bin>

More information about the nginx-devel mailing list