[PATCH] Mail: added support for SSL client certificate
# HG changeset patch # User Franck Levionnois flevionnois at gmail.com # Date 1390577176 -3600 # Fri Jan 24 16:26:16 2014 +0100 # Node ID 9dc48eeb8e5cb022676dbbe56e3435d20e822ab3 # Parent a387ce36744aa36b50e8171dbf01ef716748327e Mail: added support for SSL client certificate. Add support for SSL Mutual Authentification like in HTTP module. Added mail configuration directives (like http): ssl_verify_client, ssl_verify_depth, ssl_client_certificate, ssl_trusted_certificate, ssl_crl Added headers: Auth-Certificate, Auth-Certificate-Verify, Auth-Issuer-DN, Auth-Subject-DN, Auth-Subject-Serial diff -r a387ce36744a -r 9dc48eeb8e5c src/mail/ngx_mail_auth_http_module.c --- a/src/mail/ngx_mail_auth_http_module.c Thu Jan 23 22:09:59 2014 +0900 +++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 +0100 @@ -1135,6 +1135,35 @@ ngx_mail_auth_http_dummy_handler(ngx_eve mail auth http dummy handler); } +#if (NGX_MAIL_SSL) + +static ngx_int_t +ngx_ssl_get_certificate_oneline(ngx_connection_t *c, ngx_pool_t *pool, +ngx_str_t *b64_cert) +{ +ngx_str_t pem_cert; +if (ngx_ssl_get_raw_certificate(c, pool, pem_cert) != NGX_OK) { +return NGX_ERROR; +} + +if (pem_cert.len == 0) { +b64_cert-len = 0; +return NGX_OK; +} + +b64_cert-len = ngx_base64_encoded_length(pem_cert.len); +b64_cert-data = ngx_palloc(pool, b64_cert-len); +if (b64_cert-data == NULL) { +b64_cert-len = 0; +return NGX_ERROR; +} +ngx_encode_base64(b64_cert, pem_cert); + +return NGX_OK; +} + +#endif + static ngx_buf_t * ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, @@ -1143,6 +1172,11 @@ ngx_mail_auth_http_create_request(ngx_ma size_t len; ngx_buf_t *b; ngx_str_t login, passwd; +#if (NGX_MAIL_SSL) +ngx_str_t client_cert, client_verify, + client_subject, client_issuer, + client_serial; +#endif ngx_mail_core_srv_conf_t *cscf; if (ngx_mail_auth_http_escape(pool, s-login, login) != NGX_OK) { @@ -1155,6 +1189,41 @@ ngx_mail_auth_http_create_request(ngx_ma cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); +#if (NGX_MAIL_SSL) +if (s-connection-ssl) { +if (ngx_ssl_get_client_verify(s-connection, pool, + client_verify) != NGX_OK) { +return NULL; +} + +if (ngx_ssl_get_subject_dn(s-connection, pool, + client_subject) != NGX_OK) { +return NULL; +} + +if (ngx_ssl_get_issuer_dn(s-connection, pool, + client_issuer) != NGX_OK) { +return NULL; +} + +if (ngx_ssl_get_serial_number(s-connection, pool, + client_serial) != NGX_OK) { +return NULL; +} + +if (ngx_ssl_get_certificate_oneline(s-connection, pool, +client_cert) != NGX_OK) { +return NULL; +} +} else { +client_verify.len = 0; +client_issuer.len = 0; +client_subject.len = 0; +client_serial.len = 0; +client_cert.len = 0; +} +#endif + len = sizeof(GET ) - 1 + ahcf-uri.len + sizeof( HTTP/1.0 CRLF) - 1 + sizeof(Host: ) - 1 + ahcf-host_header.len + sizeof(CRLF) - 1 + sizeof(Auth-Method: ) - 1 @@ -1163,6 +1232,18 @@ ngx_mail_auth_http_create_request(ngx_ma + sizeof(Auth-User: ) - 1 + login.len + sizeof(CRLF) - 1 + sizeof(Auth-Pass: ) - 1 + passwd.len + sizeof(CRLF) - 1 + sizeof(Auth-Salt: ) - 1 + s-salt.len +#if (NGX_MAIL_SSL) + + sizeof(Auth-Certificate: ) - 1 + client_cert.len ++ sizeof(CRLF) - 1 + + sizeof(Auth-Certificate-Verify: ) - 1 + client_verify.len ++ sizeof(CRLF) - 1 + + sizeof(Auth-Issuer-DN: ) - 1 + client_issuer.len ++ sizeof(CRLF) - 1 + + sizeof(Auth-Subject-DN: ) - 1 + client_subject.len ++ sizeof(CRLF) - 1 + + sizeof(Auth-Subject-Serial: ) - 1 + client_serial.len ++ sizeof(CRLF) - 1 +#endif + sizeof(Auth-Protocol: ) - 1 + cscf-protocol-name.len + sizeof(CRLF) - 1 + sizeof(Auth-Login-Attempt: ) - 1 + NGX_INT_T_LEN @@ -1213,6 +1294,44 @@ ngx_mail_auth_http_create_request(ngx_ma s-passwd.data = NULL; } +#if (NGX_MAIL_SSL) +if (client_cert.len) { +b-last = ngx_cpymem(b-last, Auth-Certificate: , + sizeof(Auth-Certificate: ) - 1); +b-last = ngx_copy(b-last, client_cert.data, client_cert.len); +*b-last++ = CR; *b-last++ = LF; +} + +if (client_verify.len) { +b-last
Re: : [PATCH 0 of 1] Mail: add support for SSL client certificate
Hi, and Salut Franck ;) I just fix the typo, indentation, white space, empty lines mistakes, I have seen. I'have been working on this patch with Franck, as part of my last job. Filipe Da Silva 2014/1/25 nginx-devel-requ...@nginx.org: -- Message: 2 Date: Fri, 24 Jan 2014 21:40:32 +0100 From: flevionn...@gmail.com To: nginx-devel@nginx.org Subject: [PATCH 0 of 1] Mail: add support for SSL client certificate Message-ID: patchbomb.1390596...@flevionnois2.dictao.com Content-Type: text/plain; charset=us-ascii Add support for mail SSL client auth Take into account Sven Peter patch http://forum.nginx.org/read.php?29,246309,246328#msg-246328 and transmit the client certificate to the backend server ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Using 2 intersection of conditions for proxy_cache_bypass (avoiding logical if/and)
You can chain two maps to get a logical and: map $request_method $is_get { default 0; GET 1; } map $http_cache_bypass $bypass_cache { default $is_get; 0; } proxy_cache_methods POST; proxy_cache_bypass $bypass_cache; # note the lack of : after default in the maps, it's incorrect to have it there like your original map did On Fri, Jan 24, 2014 at 10:03 PM, B.R. reallfqq-ng...@yahoo.fr wrote: Hello, On Sat, Jan 25, 2014 at 3:40 AM, Jeroen Ooms jeroen.o...@stat.ucla.eduwrote: This looks like a fragile solution. You're basically simulating an if, but I don't think we should assume that nginx will resolve all maps in the defined order, as would be using if. *snip* Maybe someone from the nginx team can comment if this is a viable solution? You explicited clearly you wanted to avoid if/and logic in your message subject (one could wonder why since there appears to be no other trivial solution)... In the end, since proxy_cache_bypass doc clearly state that it works based on an OR logic, what you wish won't happen magically. With those conditions set, I hardly see something that won't look edgy... Maybe someone else could help you better. Good luck, --- *B. R.* ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx and cgit - upstream prematurely closed FastCGI stdout
I'm trying to setup cgit 0.10 with nginx 1.2.1-2.2 and fastcgi 1.0.3-3. Unfortunately the reponse is a 502. The following message is written in the error.log: [error] 30956#0: *1 upstream prematurely closed FastCGI stdout while reading response header from upstream, client: **, server: **, request: GET / HTTP/1.1, upstream: fastcgi://unix:/var/run/fcgiwrap.socket:, host: **/i My nginx site is configured as follows: server { ... root /var/www/cgit/; proxy_redirect off; location ~* ^.+\.(css|png|ico)$ { expires 30d; } location / { include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/cgit; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_paramPATH_INFO $uri; fastcgi_paramQUERY_STRING $args; } } Does anybody have an idea, what is going wrong? I also tried to raise the timeout limit, but I have no success. Thanks! snafu ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Using 2 intersection of conditions for proxy_cache_bypass (avoiding logical if/and)
On Sat, Jan 25, 2014 at 5:24 AM, Jonathan Kolb kolbyj...@gmail.com wrote: You can chain two maps to get a logical and: Thank you, this is precisely what I needed. # note the lack of : after default in the maps, it's incorrect to have it there like your original map did Good catch, thanks. Appreciate it. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: proxy_cache_methods OPTIONS;
On Fri, Jan 24, 2014 at 11:42 PM, wishmaster artem...@ukr.net wrote: What is your proxy_cache_methods value? I tried both proxy_cache_methods OPTIONS; as well as proxy_cache_methods GET HEAD OPTIONS; but both gave the error. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx