Custom Query (2297 matches)
Results (31 - 33 of 2297)
| Ticket | Resolution | Summary | Owner | Reporter |
|---|---|---|---|---|
| #449 | worksforme | New variable for SubjectAltName in the client SSL certificate | ||
| Description |
Some new authentification systems like WebID-TLS [1] require to access to the SubjectAltName field of the client SSL X509 certificate. Currently, to the best of our knowledge, no variable defined in SSL module [2] can extract this information. It would be nice to have a variable similar to $ssl_client_s_dn for this specific field or a general variable for the full certificate. [1] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html#the-certificate [2] http://nginx.org/en/docs/http/ngx_http_ssl_module.html |
|||
| #455 | worksforme | nginx makes it hard to configure ipv4/6 default cases in listen statement | ||
| Description |
In a usual setup, where a web server is serving the public internet, one may want to configure nginx to accept IPv4 and IPv6 connections. This is unnecessarily hard, as one can either specify one or two listen statements to listen on v4 and v6:
listen :80;
listen [::]:80 ipv6only=on;
OR
listen [::]:80 ipv6only=off;
However, this only applies to the first such server statement. Subsequent statements will fail when written as: listen :80;
OR
listen [::]:80 ipv6only=off;
While it makes perfect sense to allow binding to any address in any server statement, and create contradicting configurations, the default should really be that listen 80;
OR
listen :80;
will bind to both IPv4 and IPv6 addresses, whereas listen 0.0.0.0:80;
OR
listen [::0]:80;
can be used to create a specific binding. This is reproducible on # uname -a Linux localhost 3.11.9-200.fc19.x86_64 #1 SMP Wed Nov 20 21:22:24 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux # nginx -V nginx version: nginx/1.4.3 built by gcc 4.8.2 20131017 (Red Hat 4.8.2-1) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' # uname -a Linux localhost 2.6.32-358.23.2.el6.x86_64 #1 SMP Wed Oct 16 18:37:12 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux # nginx -V nginx version: nginx/1.0.15 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E |
|||
| #461 | worksforme | Client: OpenSSL SSLv2 options set even with SSL_OP_NO_SSLv2 | ||
| Description |
SSL_OP_NO_SSLv2 precludes SSL_OP_MICROSOFT_SESS_ID_BUG and SSL_OP_NETSCAPE_CHALLENGE_BUG. From ngx_event_openssl.c, around line 180: /* client side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
...
if (!(protocols & NGX_SSL_SSLv2)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
}
if (!(protocols & NGX_SSL_SSLv3)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
}
if (!(protocols & NGX_SSL_TLSv1)) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
}
Perhaps something like the following would be useful for clients: if (protocols & NGX_SSL_SSLv2) {
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
}
if <openssl/opensslconf.h> is included, then the following can also be used to exclude the SSLv2 and SSLv3 stuff: $ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep -i ssl 2329:# if defined(OPENSSL_NO_SSLV2) && !defined(NO_SSLV2) 2382:# define NO_SSLV2 2401-# endif -- 2409:# if defined(OPENSSL_NO_SSLV3) && !defined(NO_SSLV3) 2462:# define NO_SSLV3 2481-# endif |
|||
