ssl_client_fingerprint and sha256
dcardon at tranquil.it
Mon Dec 2 15:44:52 UTC 2019
> On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote:
>> Hi everyone,
>> this is my first post on this mailing list, so bear with me :-)
>> Sorry if my question is silly, but I haven't found any way to use a
>> sha256 fingerprint for client certificate validation in Nginx. Sha1
>> fingerprints work fine but we are slowly going toward sha256 as hashing
>> function by default. The ngx_http_ssl_module documentation explicitly
>> specify only sha1 .
>> I have seen in the Trac that there is a issue open about that .
>> Perhaps there a good reason for not having it currently. I'll be glad to
>> hear from you all. We are using ssl client auth for WAPT project 
>> which automates Windows workstation software install and update.
> The $ssl_client_fingerprint variable represents a fingerprint of
> a certificate which is already verified based on trusted CA
> certificates listed in the ssl_client_certificate directive. As
> such, from security point of view using SHA-1 hash function
> shouldn't be a problem, as it merely identifies one of the
> certificates previously signed (and validated).
> If you are trying to use $ssl_client_fingerprint literally "for
> client certificate validation", you are probably doing it wrong.
> In some setups it might be more convenient to use SHA-256 instead
> of SHA-1, though for now we haven't seen such requests.
Actually it is the last case : it is more for convenience of not storing
both SHA-1 and SHA-256 fingerprints on the server... As you say it is
not a security issue, but when having security audit (we will have to
renew our CSPN  certification on WAPT next year), one has to explain
why using older cryptography is not an issue in the specific use case.
So we will just do the explanation.
Spasibo a lot for your explanations!
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the nginx