Is if statement valid for cert client verification ?

Mik J mikydevel at yahoo.fr
Wed Mar 12 23:45:06 UTC 2025 

Hello Thomas,

Thank you very much for these detailed explanations.

I did use
    ssl_client_certificate /etc/ssl/certs/myuser.crt;
    ssl_verify_client on;

But I had in mind to remove "ssl_client_certificate /etc/ssl/certs/myuser.crt", and replace it with
if ($ssl_client_s_dn !~ "O=MyCorp") { return 403; }

When I read your explanation, I understand that in this file
  ssl_client_certificate /path/to/client/cert/ca.pem;
=> I would need to concatenate all my individual client certificates ?

I wanted to remove "ssl_client_certificate /etc/ssl/certs/myuser.crt" because I wanted that client verification would work for myuser1, myuser2....not juste for one user.
Basicly for all my users in my company, and the website would be exposed on the internet.


Thank you for clarifying the attack scenario, I didn't think about it at all.


My ssl configuration is
    ssl_dhparam /etc/nginx/dhparam4096.key;
    ssl_ecdh_curve prime256v1;
    ssl_certificate /etc/ssl/certs/myapp.mydomain.org_chain.crt;
    ssl_certificate_key /etc/ssl/private/myapp.mydomain.org.key;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 180m;
    ssl_client_certificate /etc/ssl/certs/myuser1.crt;
    ssl_verify_client on;


Regards


Le mercredi 12 mars 2025 à 00:35:36 UTC+1, Thomas Ward <teward at ubuntu.com> a écrit : 





Ideally, I would suggest you avoid using `if` for this because there's 
ways your string matching could be bypassed (by providing a client cert 
with your Org defined in the DN but not legitimate), and instead rely on 
issuing of certs by a specific Certificate Authority and validate 
against that, ala:

server {
  listen 443 ssl;
  ...
  ssl_client_certificate /path/to/client/cert/ca.pem;
  ssl_verify_client on;
  ...
}

This will reject anyone who doesn't have a valid client certificate 
created by the CA defined in ssl_client_certificate. Explanation of my 
issues with YOUR approach (as you don't specify if you're doing 
ssl_client_certificate or ssl_verify_client on;) is assuming you aren't 
doing this, and there's a detailed explanation of why your solution is bad.

---

The way YOU'VE suggested is unsafe and opens to MITM or certificate 
faking. Let's use the following example.

My site accepts client certificates. The CA chain is:

CN=Spigot-CA,OU=Technical,O=Spigot,C=US (Serial 69D2DC9DAAABD023)
--> CN=teward,OU=Admin,O=Spigot (Serial 575EDDCAAA0D654F)

I am using your if statement, matching any case where O(rg) is not equal 
to Spigot. However, I am not actually validating the certificate 
signature against the CA cert. As part of Red Team exercises, the red 
team makes a new certificate that has no CA chain and is self-signed 
with the following DN:

(SELFSIGNED) CN=joesmith,OU=badguy,O=Spigot

When the `if` gets triggered and the ssl_client_certificiate isn't set 
and ssl_verify_client not set to "on", then when your if statement reads 
the DN of the Red Team's certificate, it will not ever hit the 443, 
instead it'll be seen as a "legitimate" cert and processing continues. 
That opens you up to "spoofing" of certificates to bypass protections.

Red Team notifies the security team (me) about this vulnerability. So I 
enforce CA cert checks and client verification.  By forcing the 
verification instead of the CA's certificate against the Client 
Certificate presented (which does cryptographic signature tests, etc. 
far beyond just checking the DN of a certificate), it will prevent that 
'spoofed' cert from working.

Accordingly, when I ask Red Team to retest with the permissions set 
accordingly to actually validate the cert against a specific CA cert or 
chain of certs, the Red Team can no longer succeed with their 'spoofed 
certificates' approach, and would need a valid client certificate signed 
by the valid CA certificate (which requires them to have the private 
key, which if you handle data right will never happen) to access the 
site or its resources (and simply would get Bad Request or similar 
because they didn't send a proper SSL cert).

---

Unless I'm misunderstanding your intention, which may be possible 
because you don't include your whole example configuration, etc. for 
this use case.


Thomas

On 2025-03-11 18:58, Mik J via nginx wrote:
> Hello,
>
> I remember from Nginx that "if" can be evil.
>
> I would like to validate that if can be used in the a context where I would like to authenticate my clients with a certificate.
>
> if ($ssl_client_s_dn !~ "O=MyCorp") { return 403; }
>
> Do you have any recommendation ?
>
> Thank you
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list