ssl_client_fingerprint and sha256
Maxim Dounin
mdounin at mdounin.ru
Mon Dec 2 14:40:07 UTC 2019
Hello!
On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote:
> Hi everyone,
>
> this is my first post on this mailing list, so bear with me :-)
>
> Sorry if my question is silly, but I haven't found any way to use a
> sha256 fingerprint for client certificate validation in Nginx. Sha1
> fingerprints work fine but we are slowly going toward sha256 as hashing
> function by default. The ngx_http_ssl_module documentation explicitly
> specify only sha1 [1].
>
> I have seen in the Trac that there is a issue open about that [2].
> Perhaps there a good reason for not having it currently. I'll be glad to
> hear from you all. We are using ssl client auth for WAPT project [3]
> which automates Windows workstation software install and update.
The $ssl_client_fingerprint variable represents a fingerprint of
a certificate which is already verified based on trusted CA
certificates listed in the ssl_client_certificate directive. As
such, from security point of view using SHA-1 hash function
shouldn't be a problem, as it merely identifies one of the
certificates previously signed (and validated).
If you are trying to use $ssl_client_fingerprint literally "for
client certificate validation", you are probably doing it wrong.
In some setups it might be more convenient to use SHA-256 instead
of SHA-1, though for now we haven't seen such requests.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list