[PATCH] Mail: added support for SSL client certificate
# HG changeset patch
# User Franck Levionnois flevionnois at gmail.com
# Date 1390577176 -3600
# Fri Jan 24 16:26:16 2014 +0100
# Node ID 9dc48eeb8e5cb022676dbbe56e3435d20e822ab3
# Parent a387ce36744aa36b50e8171dbf01ef716748327e
Mail: added support for SSL client certificate.
Add support for SSL Mutual Authentification like in HTTP module.
Added mail configuration directives (like http):
ssl_verify_client, ssl_verify_depth, ssl_client_certificate,
ssl_trusted_certificate, ssl_crl
Added headers:
Auth-Certificate, Auth-Certificate-Verify, Auth-Issuer-DN, Auth-Subject-DN,
Auth-Subject-Serial
diff -r a387ce36744a -r 9dc48eeb8e5c src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Thu Jan 23 22:09:59 2014 +0900
+++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 +0100
@@ -1135,6 +1135,35 @@ ngx_mail_auth_http_dummy_handler(ngx_eve
mail auth http dummy handler);
}
+#if (NGX_MAIL_SSL)
+
+static ngx_int_t
+ngx_ssl_get_certificate_oneline(ngx_connection_t *c, ngx_pool_t *pool,
+ngx_str_t *b64_cert)
+{
+ngx_str_t pem_cert;
+if (ngx_ssl_get_raw_certificate(c, pool, pem_cert) != NGX_OK) {
+return NGX_ERROR;
+}
+
+if (pem_cert.len == 0) {
+b64_cert-len = 0;
+return NGX_OK;
+}
+
+b64_cert-len = ngx_base64_encoded_length(pem_cert.len);
+b64_cert-data = ngx_palloc(pool, b64_cert-len);
+if (b64_cert-data == NULL) {
+b64_cert-len = 0;
+return NGX_ERROR;
+}
+ngx_encode_base64(b64_cert, pem_cert);
+
+return NGX_OK;
+}
+
+#endif
+
static ngx_buf_t *
ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
@@ -1143,6 +1172,11 @@ ngx_mail_auth_http_create_request(ngx_ma
size_t len;
ngx_buf_t *b;
ngx_str_t login, passwd;
+#if (NGX_MAIL_SSL)
+ngx_str_t client_cert, client_verify,
+ client_subject, client_issuer,
+ client_serial;
+#endif
ngx_mail_core_srv_conf_t *cscf;
if (ngx_mail_auth_http_escape(pool, s-login, login) != NGX_OK) {
@@ -1155,6 +1189,41 @@ ngx_mail_auth_http_create_request(ngx_ma
cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module);
+#if (NGX_MAIL_SSL)
+if (s-connection-ssl) {
+if (ngx_ssl_get_client_verify(s-connection, pool,
+ client_verify) != NGX_OK) {
+return NULL;
+}
+
+if (ngx_ssl_get_subject_dn(s-connection, pool,
+ client_subject) != NGX_OK) {
+return NULL;
+}
+
+if (ngx_ssl_get_issuer_dn(s-connection, pool,
+ client_issuer) != NGX_OK) {
+return NULL;
+}
+
+if (ngx_ssl_get_serial_number(s-connection, pool,
+ client_serial) != NGX_OK) {
+return NULL;
+}
+
+if (ngx_ssl_get_certificate_oneline(s-connection, pool,
+client_cert) != NGX_OK) {
+return NULL;
+}
+} else {
+client_verify.len = 0;
+client_issuer.len = 0;
+client_subject.len = 0;
+client_serial.len = 0;
+client_cert.len = 0;
+}
+#endif
+
len = sizeof(GET ) - 1 + ahcf-uri.len + sizeof( HTTP/1.0 CRLF) - 1
+ sizeof(Host: ) - 1 + ahcf-host_header.len + sizeof(CRLF) - 1
+ sizeof(Auth-Method: ) - 1
@@ -1163,6 +1232,18 @@ ngx_mail_auth_http_create_request(ngx_ma
+ sizeof(Auth-User: ) - 1 + login.len + sizeof(CRLF) - 1
+ sizeof(Auth-Pass: ) - 1 + passwd.len + sizeof(CRLF) - 1
+ sizeof(Auth-Salt: ) - 1 + s-salt.len
+#if (NGX_MAIL_SSL)
+ + sizeof(Auth-Certificate: ) - 1 + client_cert.len
++ sizeof(CRLF) - 1
+ + sizeof(Auth-Certificate-Verify: ) - 1 + client_verify.len
++ sizeof(CRLF) - 1
+ + sizeof(Auth-Issuer-DN: ) - 1 + client_issuer.len
++ sizeof(CRLF) - 1
+ + sizeof(Auth-Subject-DN: ) - 1 + client_subject.len
++ sizeof(CRLF) - 1
+ + sizeof(Auth-Subject-Serial: ) - 1 + client_serial.len
++ sizeof(CRLF) - 1
+#endif
+ sizeof(Auth-Protocol: ) - 1 + cscf-protocol-name.len
+ sizeof(CRLF) - 1
+ sizeof(Auth-Login-Attempt: ) - 1 + NGX_INT_T_LEN
@@ -1213,6 +1294,44 @@ ngx_mail_auth_http_create_request(ngx_ma
s-passwd.data = NULL;
}
+#if (NGX_MAIL_SSL)
+if (client_cert.len) {
+b-last = ngx_cpymem(b-last, Auth-Certificate: ,
+ sizeof(Auth-Certificate: ) - 1);
+b-last = ngx_copy(b-last, client_cert.data, client_cert.len);
+*b-last++ = CR; *b-last++ = LF;
+}
+
+if (client_verify.len) {
+b-last
Re: : [PATCH 0 of 1] Mail: add support for SSL client certificate
Hi, and Salut Franck ;) I just fix the typo, indentation, white space, empty lines mistakes, I have seen. I'have been working on this patch with Franck, as part of my last job. Filipe Da Silva 2014/1/25 nginx-devel-requ...@nginx.org: -- Message: 2 Date: Fri, 24 Jan 2014 21:40:32 +0100 From: flevionn...@gmail.com To: nginx-devel@nginx.org Subject: [PATCH 0 of 1] Mail: add support for SSL client certificate Message-ID: patchbomb.1390596...@flevionnois2.dictao.com Content-Type: text/plain; charset=us-ascii Add support for mail SSL client auth Take into account Sven Peter patch http://forum.nginx.org/read.php?29,246309,246328#msg-246328 and transmit the client certificate to the backend server ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Using 2 intersection of conditions for proxy_cache_bypass (avoiding logical if/and)
You can chain two maps to get a logical and:
map $request_method $is_get {
default 0;
GET 1;
}
map $http_cache_bypass $bypass_cache {
default $is_get;
0;
}
proxy_cache_methods POST;
proxy_cache_bypass $bypass_cache;
# note the lack of : after default in the maps, it's incorrect to have it
there like your original map did
On Fri, Jan 24, 2014 at 10:03 PM, B.R. reallfqq-ng...@yahoo.fr wrote:
Hello,
On Sat, Jan 25, 2014 at 3:40 AM, Jeroen Ooms jeroen.o...@stat.ucla.eduwrote:
This looks like a fragile solution. You're basically simulating an
if, but I don't think we should assume that nginx will resolve all
maps in the defined order, as would be using if.
*snip*
Maybe someone from the nginx team can comment if this is a viable
solution?
You explicited clearly you wanted to avoid if/and logic in your message
subject (one could wonder why since there appears to be no other trivial
solution)...
In the end, since proxy_cache_bypass doc clearly state that it works based
on an OR logic, what you wish won't happen magically.
With those conditions set, I hardly see something that won't look edgy...
Maybe someone else could help you better.
Good luck,
---
*B. R.*
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx and cgit - upstream prematurely closed FastCGI stdout
I'm trying to setup cgit 0.10 with nginx 1.2.1-2.2 and fastcgi 1.0.3-3.
Unfortunately the reponse is a 502. The following message is written in
the error.log:
[error] 30956#0: *1 upstream prematurely closed FastCGI stdout while
reading response header from upstream, client: **, server: **, request:
GET / HTTP/1.1, upstream: fastcgi://unix:/var/run/fcgiwrap.socket:,
host: **/i
My nginx site is configured as follows:
server {
...
root /var/www/cgit/;
proxy_redirect off;
location ~* ^.+\.(css|png|ico)$ {
expires 30d;
}
location / {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/cgit;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_paramPATH_INFO $uri;
fastcgi_paramQUERY_STRING $args;
}
}
Does anybody have an idea, what is going wrong? I also tried to raise
the timeout limit, but I have no success.
Thanks!
snafu
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Using 2 intersection of conditions for proxy_cache_bypass (avoiding logical if/and)
On Sat, Jan 25, 2014 at 5:24 AM, Jonathan Kolb kolbyj...@gmail.com wrote: You can chain two maps to get a logical and: Thank you, this is precisely what I needed. # note the lack of : after default in the maps, it's incorrect to have it there like your original map did Good catch, thanks. Appreciate it. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: proxy_cache_methods OPTIONS;
On Fri, Jan 24, 2014 at 11:42 PM, wishmaster artem...@ukr.net wrote: What is your proxy_cache_methods value? I tried both proxy_cache_methods OPTIONS; as well as proxy_cache_methods GET HEAD OPTIONS; but both gave the error. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
