[PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampsonsprojects at gmail.com sampsonsprojects at gmail.com
Wed Jan 15 20:51:34 UTC 2020


# HG changeset patch
# User Sampson Crowley <sampsonsprojects at gmail.com>
# Date 1579118065 25200
#      Wed Jan 15 12:54:25 2020 -0700
# Node ID 4ba211814386f2e4adcd855b27d7d2534a5036a7
# Parent  8a7b59347401bba7b018c7292409ab095ce83466
Add "compliant" option to ssl_verify_client for CORS support

The CORS Spec specifically prohibits any form of credentials
during preflight checks. Because "on" fails ALL requests if
a certificate is not provided, it becomes impossible to use
"ssl_verify_client on;" with spec compliant browsers and CORS,
namely Firefox. I didnt want to break any configs that rely on
or prefer that failure to occur, so I added an additional option
to allow only OPTIONS requests to bypass the client certificate
validation.

diff -r 8a7b59347401 -r 4ba211814386 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Tue Jan 14 14:20:08 2020 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c	Wed Jan 15 12:54:25 2020 -0700
@@ -70,6 +70,7 @@
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
     { ngx_string("optional_no_ca"), 3 },
+    { ngx_string("compliant"), 4 },
     { ngx_null_string, 0 }
 };
 
diff -r 8a7b59347401 -r 4ba211814386 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c	Tue Jan 14 14:20:08 2020 +0300
+++ b/src/http/ngx_http_request.c	Wed Jan 15 12:54:25 2020 -0700
@@ -2016,10 +2016,12 @@
                 return;
             }
 
-            if (sscf->verify == 1) {
+            if (sscf->verify == 1 || sscf->verify == 4) {
                 cert = SSL_get_peer_certificate(c->ssl->connection);
 
-                if (cert == NULL) {
+                if (cert == NULL
+                    && (sscf->verify != 4 || r->method != NGX_HTTP_OPTIONS))
+                {
                     ngx_log_error(NGX_LOG_INFO, c->log, 0,
                                   "client sent no required SSL certificate");
 
@@ -2030,7 +2032,9 @@
                     return;
                 }
 
-                X509_free(cert);
+                if(cert != NULL) {
+                    X509_free(cert);
+                }
             }
         }
     }
diff -r 8a7b59347401 -r 4ba211814386 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Tue Jan 14 14:20:08 2020 +0300
+++ b/src/mail/ngx_mail_ssl_module.c	Wed Jan 15 12:54:25 2020 -0700
@@ -52,6 +52,7 @@
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
     { ngx_string("optional_no_ca"), 3 },
+    { ngx_string("compliant"), 1 },
     { ngx_null_string, 0 }
 };
 
diff -r 8a7b59347401 -r 4ba211814386 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c	Tue Jan 14 14:20:08 2020 +0300
+++ b/src/stream/ngx_stream_ssl_module.c	Wed Jan 15 12:54:25 2020 -0700
@@ -64,6 +64,7 @@
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
     { ngx_string("optional_no_ca"), 3 },
+    { ngx_string("compliant"), 1 },
     { ngx_null_string, 0 }
 };
 


More information about the nginx-devel mailing list