[nginx] SSL: optional ssl_client_certificate for ssl_verify_client.
noreply at nginx.com
noreply at nginx.com
Fri Sep 20 10:44:02 UTC 2024
details: https://github.com/nginx/nginx/commit/18afcda938cd2d4712d0d083b57161290a5a2d34
branches: master
commit: 18afcda938cd2d4712d0d083b57161290a5a2d34
user: Sergey Kandaurov <pluknet at nginx.com>
date: Fri, 20 Sep 2024 14:08:42 +0400
description:
SSL: optional ssl_client_certificate for ssl_verify_client.
Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names. In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.
In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version. For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.
The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142). Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed. A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).
Co-authored-by: Praveen Chaudhary <praveenc at nvidia.com>
---
src/http/modules/ngx_http_ssl_module.c | 8 ++++++--
src/mail/ngx_mail_ssl_module.c | 8 ++++++--
src/stream/ngx_stream_ssl_module.c | 8 ++++++--
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 1c92d9fa8..abc8d49ab 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -787,9 +787,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->verify != 3
+ && conf->client_certificate.len == 0
+ && conf->trusted_certificate.len == 0)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for ssl_verify_client");
+ "no ssl_client_certificate or "
+ "ssl_trusted_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
}
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index aebb4ccb6..b547dc101 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -450,9 +450,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->verify != 3
+ && conf->client_certificate.len == 0
+ && conf->trusted_certificate.len == 0)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for ssl_verify_client");
+ "no ssl_client_certificate or "
+ "ssl_trusted_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
}
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 072e74917..0233a9258 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -1008,9 +1008,13 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->verify) {
- if (conf->client_certificate.len == 0 && conf->verify != 3) {
+ if (conf->verify != 3
+ && conf->client_certificate.len == 0
+ && conf->trusted_certificate.len == 0)
+ {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no ssl_client_certificate for ssl_verify_client");
+ "no ssl_client_certificate or "
+ "ssl_trusted_certificate for ssl_verify_client");
return NGX_CONF_ERROR;
}
More information about the nginx-devel
mailing list