ssl_client_fingerprint and sha256

Maxim Dounin mdounin at
Mon Dec 2 14:40:07 UTC 2019


On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote:

> Hi everyone,
> this is my first post on this mailing list, so bear with me :-)
> Sorry if my question is silly, but I haven't found any way to use a 
> sha256 fingerprint for client certificate validation in Nginx. Sha1 
> fingerprints work fine but we are slowly going toward sha256 as hashing 
> function by default. The ngx_http_ssl_module documentation explicitly 
> specify only sha1 [1].
> I have seen in the Trac that there is a issue open about that [2]. 
> Perhaps there a good reason for not having it currently. I'll be glad to 
> hear from you all. We are using ssl client auth for WAPT project [3] 
> which automates Windows workstation software install and update.

The $ssl_client_fingerprint variable represents a fingerprint of 
a certificate which is already verified based on trusted CA 
certificates listed in the ssl_client_certificate directive.  As 
such, from security point of view using SHA-1 hash function 
shouldn't be a problem, as it merely identifies one of the 
certificates previously signed (and validated).

If you are trying to use $ssl_client_fingerprint literally "for 
client certificate validation", you are probably doing it wrong.

In some setups it might be more convenient to use SHA-256 instead 
of SHA-1, though for now we haven't seen such requests.

Maxim Dounin

More information about the nginx mailing list