Hello! On Tue, Jan 10, 2017 at 03:41:14PM -0800, Ethan Rahn via nginx-devel wrote:
> Hello, > > I noticed that nginx does not check x509v3 certificates ( in > event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see > that the optional extended key usage settings are correct. I have a patch > for this that I would like to contribute, but I'm unable to find > contribution guidelines on the nginx web-site. > > The effect of this issue is that someone could offer a client certificate > that has extended key usage set to say, serverAuth. This would be a > violation of RFC 5280 - Section 4.2.1.12. I fix this by checking the > bitfield manually to see that the settings are correct. Note that nginx relies on OpenSSL to verify certificates, and checking things manually might not be a good idea. If you think that somthing is missing, a better solution might be to improve OpenSSL checking instead. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
