[PATCH] Add "pass_only" option to ssl_verify_client to enable app-only validation

mk.fg nginx-forum at nginx.us
Thu Jul 19 21:13:01 UTC 2012


Proposed patch enables use-case scenario when Nginx asks Client for TLS
certificate but does not make any attempt to validate it, passing it to
the application instead. Application itself if then free to decide
whether provided certificate is valid and is able to reject it with the
same http status codes as Nginx does.

Same use-case is also referenced in
"http://forum.nginx.org/read.php?2,15584" and is *critical* for
implementing protocols like WebID (http://www.w3.org/wiki/WebID), which
relies on custom TLS certificates, which are signed with keys which are
unknown in advance.
With the patch, that can be accomplished by specifying
"ssl_verify_client pass_only;" ("ssl_client_certificate" is *not* used
in this case) and using "uwsgi_param X_CLIENT_CERT
$ssl_client_raw_cert;" (or similar options for different backends).

Currently, Nginx supports "off", "on" and "optional" parameters to
"ssl_verify_client" option, latter of which ("on" and "optional")
require CA certificate (specified with "ssl_client_certificate" option)
and perform mandatory check against it if client provides certificate.
"optional" parameter seem to allow client to skip providing the
certificate, but still requires CA certificate and performs the check
(if client provides the cert), returning http status 495 if validation
against that CA fails.
So there is currently no way to require client certificate but perform
it's validation in application (or on whatever backend) only, hence the

Please consider merging the patch into nginx codebase, enabling
aforementioned use-case in some other way, or at least commenting on why
it might be wrong or unsuitable approach/feature (if only to block
further proposals in the same vein).

Patch is made on top of current (as of 07.2012) svn trunk.
In case forum interface mangles the inline attachment, it can also be
found on the following URL: https://raw.github.com/gist/3146701/

>From 0ade221a2dbaeedfa5255875a89485166221a6f0 Mon Sep 17 00:00:00 2001
From: Mike Kazantsev <mk.fraggod at gmail.com>
Date: Fri, 20 Jul 2012 02:45:10 +0600
Subject: [PATCH] Add "pass_only" option to ssl_verify_client to enable
 app-only validation

 src/http/modules/ngx_http_ssl_module.c |    3 ++-
 src/http/ngx_http_request.c            |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/http/modules/ngx_http_ssl_module.c
index d759489..4435435 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -48,6 +48,7 @@ static ngx_conf_enum_t  ngx_http_ssl_verify[] = {
     { ngx_string("off"), 0 },
     { ngx_string("on"), 1 },
     { ngx_string("optional"), 2 },
+    { ngx_string("pass_only"), 3 },
     { ngx_null_string, 0 }
@@ -466,7 +467,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void
*parent, void *child)
     if (conf->verify) {
-        if (conf->client_certificate.len == 0) {
+        if (conf->verify != 3 && conf->client_certificate.len == 0) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                           "no ssl_client_certificate for
             return NGX_CONF_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 26420b1..11373dc 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1631,7 +1631,7 @@ ngx_http_process_request(ngx_http_request_t *r)
         sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
-        if (sscf->verify) {
+        if (sscf->verify && sscf->verify != 3) {
             rc = SSL_get_verify_result(c->ssl->connection);
             if (rc != X509_V_OK) {

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,228761,228761#msg-228761

More information about the nginx mailing list