[PATCH 1 of 1] CONF: make ssl_client_certificate optional with only tlsv1_3

Praveen Chaudhary pclicoder at gmail.com
Tue Aug 13 06:34:56 UTC 2024 

Hi Nginx Devs

*Testing done:*
Ran nginx-tests. Got the same results with or without patch.

*PATCH description:*
As per RFC 8446 Section 4.2.4, server MAY (not SHOULD or MUST)
send Certificate Authorities (CAs) in the Certificate Request packet.

Today, Nginx makes the ssl_client_certificate directive mandatory
with ssl_verify_client. Issuers from this CA certificate file are sent to
client in the Certificate Request packet.

If only TLSv1.3 protocol is configured, and considering, it is not
mandatory
to send CAs to clients. Nginx should make ssl_client_certificate optional.
This patch makes ssl_client_certificate optional.

*Code doubts:*
Currently I used [~NGX_SSL_TLSv1_3] to find if configured protocols have
any
other value than TLSv1.3.

Another way to do the same is:
[NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2].

Kindly let me know which way is more prefered.


*PATCH:*
# HG changeset patch
# User Praveen Chaudhary <praveen5582 at gmail.com>
# Date 1723406727 25200
#      Sun Aug 11 13:05:27 2024 -0700
# Node ID 9006e478c2f2a2e023fba104aff9c175c3e17e49
# Parent  b5550a7f16c795f394f9d1ac87132dd2b7ef0e41

Make ssl_client_certificate directive optional with TLSv1.3.

- As per RFC 8446 Section 4.2.4, server MAY (not SHOULD or MUST)
  send Certificate Authorities (CAs) in the Certificate Request
  packet. This makes ssl_client_certificate directive optional
  when only TLS 1.3 is used for mutual TLS configurations.

- Today, Nginx requires ssl_client_certificate directive to
  be set to CA Certificates file, if ssl_verify_client is
  enabled, even when using only TLS 1.3. Else Nginx does not
  reload or restart.

diff -r b5550a7f16c7 -r 9006e478c2f2 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -787,10 +787,16 @@

     if (conf->verify) {

-        if (conf->client_certificate.len == 0 && conf->verify != 3) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no ssl_client_certificate for
ssl_verify_client");
-            return NGX_CONF_ERROR;
+        if (conf->protocols & ~NGX_SSL_TLSv1_3) {
+            /*
+            For TLS 1.3, It is optional to send Certificate Authorities in
+            Certificate Request Packet. RFC 8446#section-4.2.4
+            */
+            if (conf->client_certificate.len == 0 && conf->verify != 3) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                            "no ssl_client_certificate for
ssl_verify_client");
+                return NGX_CONF_ERROR;
+            }
         }

         if (ngx_ssl_client_certificate(cf, &conf->ssl,
diff -r b5550a7f16c7 -r 9006e478c2f2 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -450,12 +450,19 @@

     if (conf->verify) {

-        if (conf->client_certificate.len == 0 && conf->verify != 3) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no ssl_client_certificate for
ssl_verify_client");
-            return NGX_CONF_ERROR;
+        if (conf->protocols & ~NGX_SSL_TLSv1_3) {
+            /*
+            For TLS 1.3, It is optional to send Certificate Authorities in
+            Certificate Request Packet. RFC 8446#section-4.2.4
+            */
+            if (conf->client_certificate.len == 0 && conf->verify != 3) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                            "no ssl_client_certificate for
ssl_verify_client");
+                return NGX_CONF_ERROR;
+            }
         }

+
         if (ngx_ssl_client_certificate(cf, &conf->ssl,
                                        &conf->client_certificate,
                                        conf->verify_depth)
diff -r b5550a7f16c7 -r 9006e478c2f2 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Fri Aug 09 19:12:26 2024 +0400
+++ b/src/stream/ngx_stream_ssl_module.c Sun Aug 11 13:05:27 2024 -0700
@@ -932,10 +932,16 @@

     if (conf->verify) {

-        if (conf->client_certificate.len == 0 && conf->verify != 3) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no ssl_client_certificate for
ssl_verify_client");
-            return NGX_CONF_ERROR;
+        if (conf->protocols & ~NGX_SSL_TLSv1_3) {
+            /*
+            For TLS 1.3, It is optional to send Certificate Authorities in
+            Certificate Request Packet. RFC 8446#section-4.2.4
+            */
+            if (conf->client_certificate.len == 0 && conf->verify != 3) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                            "no ssl_client_certificate for
ssl_verify_client");
+                return NGX_CONF_ERROR;
+            }
         }

         if (ngx_ssl_client_certificate(cf, &conf->ssl,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240812/a743940c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_client_certificate_optional_tls1_3.patch
Type: application/octet-stream
Size: 4082 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240812/a743940c/attachment.obj>

More information about the nginx-devel mailing list