[nginx] CONF: Make ssl_client_certificate directive optional with TLSv1.3
Praveen Chaudhary
pclicoder at gmail.com
Fri Aug 16 15:02:29 UTC 2024
Hi Nginx Devs
Bumping patch to the top for review.
CC: @Sergey Kandaurov
Thanks for contributing client certificate validation with OSCP. It is a
long awaited feature.
In this patch, I am trying to fix another lingering concern. It will be
great, if you can have a look.
# HG changeset patch
# User Praveen Chaudhary <praveen5582 at gmail.com>
# Date 1723406727 25200
# Sun Aug 11 13:05:27 2024 -0700
# Node ID 199a35c74b60437da9d22a70d257507b4afb1878
# Parent b5550a7f16c795f394f9d1ac87132dd2b7ef0e41
Make ssl_client_certificate directive optional with TLSv1.3.
- As per RFC 8446 Section 4.2.4, server MAY (not SHOULD or MUST)
send Certificate Authorities (CAs) in the Certificate Request
packet. This makes ssl_client_certificate directive optional
when only TLS 1.3 is used for mutual TLS configurations.
- Today, Nginx requires ssl_client_certificate directive to
be set to CA Certificates file, if ssl_verify_client is
enabled, even when using only TLS 1.3. Else Nginx does not
reload or restart.
diff -r b5550a7f16c7 -r 199a35c74b60 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -787,10 +787,16 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}
if (ngx_ssl_client_certificate(cf, &conf->ssl,
diff -r b5550a7f16c7 -r 199a35c74b60 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -450,12 +450,19 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}
+
if (ngx_ssl_client_certificate(cf, &conf->ssl,
&conf->client_certificate,
conf->verify_depth)
diff -r b5550a7f16c7 -r 199a35c74b60 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/stream/ngx_stream_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -932,10 +932,16 @@
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for
ssl_verify_client");
- return NGX_CONF_ERROR;
+ if (conf->protocols &
(NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)) {
+ /*
+ For TLS 1.3, It is optional to send Certificate Authorities in
+ Certificate Request Packet. RFC 8446#section-4.2.4
+ */
+ if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl_client_certificate for
ssl_verify_client");
+ return NGX_CONF_ERROR;
+ }
}
if (ngx_ssl_client_certificate(cf, &conf->ssl,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240816/4ceec2ba/attachment.htm>
More information about the nginx-devel
mailing list