Hello! On Mon, Mar 18, 2019 at 11:53:52AM +0100, Francesco Giacomini wrote:
> # HG changeset patch > # User Francesco Giacomini <[email protected]> > # Date 1552665342 -3600 > # Fri Mar 15 16:55:42 2019 +0100 > # Node ID 0b5d82532ea5c5be20af26f1d82a74b6cd451665 > # Parent c74904a1702135f673a275bd0d36f010a3bfb89a > SSL: support for client proxy certificates > > Add the option ssl_allow_proxy_certs to allow client authentication > through X.509 proxy certificates (RFC 3820). > > It used to be possible by setting the environment variable > OPENSSL_ALLOW_PROXY_CERTS, but since OpenSSL 1.1 it has to be > done programmatically. Thanks for the patch. Docs (/doc/HOWTO/proxy_certificates.txt as of OpenSSL 1.1.1b) say: : For these reasons, OpenSSL requires that the use of proxy certificates be : explicitly allowed. Currently, this can be done using the following methods: : : - if the application directly calls X509_verify_cert(), it can first call: : : X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); : : Where ctx is the pointer which then gets passed to X509_verify_cert(). : : - proxy certificate validation can be enabled before starting the application : by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS. : : In the future, it might be possible to enable proxy certificates by editing : openssl.cnf. Since nginx does not call X509_verify_cert() directly, the only documented approach is to use the OPENSSL_ALLOW_PROXY_CERTS environment variable. If this functionality is important for you, and given that the documented approach no longer works, have you considered filing a bug to the OpenSSL team? It looks like at least one already exists, though lacks proper description of the problem: https://github.com/openssl/openssl/issues/8177 I'm also a bit sceptical about the how proxy certificates are common and if these needs to be supported by nginx, given that there is still no support even in openssl.cnf. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
