Trouble with ssl_verify_client option
Maxim Dounin
mdounin at mdounin.ru
Sun Nov 7 05:57:31 MSK 2010
Hello!
On Sat, Nov 06, 2010 at 01:18:11PM +0100, Luit van Drongelen wrote:
> On Sat, Nov 6, 2010 at 3:06 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> > Your simplified cases should both work ok (and they works ok here,
> > and I doubt you actually tested them). Though this one will cause
> > troubles without SNI:
>
> They do work for changing certificates, but the ssl_verify_client
> option won't be properly used. Furthermore the server will expect a
> client certificate when this is set to "on", though will not send any
> accepted accepted DNs (only when it's globally set it will work).
> Should this mean that I have SNI disabled, how do I enable this? I use
> a recent version of OpenSSL, I have compiled nginx with SNI support,
> according to nginx -V, so what am I missing here?
ENOPARSE. Do you mean you already using SNI to distinguish
between different virtual hosts (with different certificates) on
the same ip:port, and it works for certificates, but not for
ssl_verify_client, right?
This make sense: it looks like OpenSSL only changes certificate on
SSL_set_SSL_CTX(). Seems to be OpenSSL problem - it should apply
all settings from new context, at least ones which weren't
explicitly modified for the connection in question.
Attached patch implements workaround for the problem.
Maxim Dounin
-------------- next part --------------
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1289097786 -10800
# Node ID 5605da6c46460cedf749abbe281dcc650e24f324
# Parent 3bf207eb302653064251ec1b4e5427ed0cefc8d8
Better handle various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0a and earlier).
As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.
Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.
Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -669,6 +669,24 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
+ /*
+ * SSL_set_SSL_CTX() only changes certs as of 1.0.0a
+ * adjust other things we care about
+ */
+
+ SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
+ SSL_CTX_get_verify_callback(sscf->ssl.ctx));
+
+ SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
+
+#ifdef SSL_CTRL_CLEAR_OPTIONS
+ /* only in 0.9.8m+ */
+ SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
+ ~SSL_CTX_get_options(sscf->ssl.ctx));
+#endif
+
+ SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
+
return SSL_TLSEXT_ERR_OK;
}
More information about the nginx
mailing list