Opened 3 years ago

Closed 3 years ago

#1301 closed enhancement (wontfix)

New variable $ssl_client_signature for ngx_http_ssl_module

Reported by: dmitry.rudenko.moneta.ru@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.13.x
Keywords: ssl client signature Cc:
uname -a: Linux bal 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.12.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g-fips 1 Mar 2016 (running with OpenSSL 1.0.2g 1 Mar 2016)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

New variable $ssl_client_signature for ngx_http_ssl_module

Change History (6)

comment:1 by Maxim Dounin, 3 years ago

It is not clear what the variable is expected to contain, and why it is beneficial. You may want to clarify your suggestion.

comment:2 by dmitry.rudenko.moneta.ru@…, 3 years ago

Sorry for briefness.

$ssl_client_signature is client x509 certificate signature.

Now we use $ssl_client_cert and proxy_set_header. We do not use the entire certificate at the backend - we use certificate signature only.

At the same time there is a problem with $ssl_client_cert and proxy_set_header, for example https://trac.nginx.org/nginx/ticket/857

Last edited 3 years ago by dmitry.rudenko.moneta.ru@… (previous) (diff)

comment:3 by dmitry.rudenko.moneta.ru@…, 3 years ago

Last edited 3 years ago by dmitry.rudenko.moneta.ru@… (previous) (diff)

comment:4 by Maxim Dounin, 3 years ago

What do you mean by "x509 certificate signature"?

Normally, an X509 signature looks like:

    Signature Algorithm: sha512WithRSAEncryption
         be:26:86:27:15:44:20:f2:4a:b9:f5:9b:9b:05:38:2a:c2:7b:
         7f:28:23:e0:8a:1b:48:b3:2d:c3:9d:51:c7:e6:e9:0d:fe:91:
         74:4d:50:96:65:08:b2:ac:23:29:27:5e:fa:3e:27:36:11:17:
         b1:9d:e1:45:31:d3:5c:2a:aa:e6:78:77:75:3b:75:a8:3b:df:
         74:58:d1:7f:6a:f7:c7:6b:60:7e:3a:1b:03:e2:cc:2d:ba:c9:
         7d:f2:89:6d:5a:20:7f:a0:d7:04:66:24:1f:c8:ea:64:3b:c9:
         f5:e1:9e:f0:13:1f:ba:69:88:c6:32:85:98:40:d8:a6:16:59:
         76:e3:04:3a:0b:f2:7f:31:73:b6:d4:ab:c5:c6:a3:41:44:3b:
         a3:44:2c:22:f3:0c:c2:12:dc:a4:41:c0:86:8c:dd:e2:cc:fc:
         fe:91:13:62:cf:93:96:8a:c6:69:21:fd:83:82:e3:af:60:a9:
         86:84:e1:a8:db:eb:a4:16:c4:b7:f2:9e:45:85:41:1a:6d:36:
         c8:79:1f:8c:70:31:a2:9f:1b:8c:f4:30:b4:fb:fd:19:9c:4a:
         0a:db:01:55:24:52:75:e4:2c:bb:51:4a:40:13:7f:8f:36:25:
         c0:4d:ac:4e:f5:80:10:27:a5:fd:1e:59:74:4a:72:b8:32:3a:
         b9:9c:2e:82:a5:23:3c:9f:81:33:dd:3c:12:39:e4:03:d4:a1:
         65:75:88:b7:9c:3c:36:05:65:d6:09:fd:80:0f:12:5e:3a:4e:
         f7:9e:f7:24:91:35:72:fb:52:d5:94:14:63:65:a0:8d:8b:c1:
         77:10:ca:d6:ee:f0:84:d3:64:71:b5:05:3b:25:99:f8:c8:6d:
         a3:77:9b:56:1e:cb:60:c6:93:41:e5:4d:3c:9e:f0:e7:44:4c:
         91:49:8a:d8:bc:40:04:c2:49:36:1a:46:a1:0b:22:1b:51:7e:
         db:39:8b:4e:63:5d:ef:81:19:72:de:ba:84:29:ab:cc:d4:ca:
         7e:46:2d:15:6a:54:c6:c9:a6:0c:1d:0e:c5:31:95:c8:e9:45:
         54:81:12:d6:18:27:30:a6:3d:bc:fa:a6:9c:ad:73:8a:1d:c2:
         7e:54:80:02:56:fd:46:91:a7:85:21:ad:ef:86:8c:0c:58:70:
         d7:52:b3:20:5c:aa:bc:1e:ea:b0:1f:2e:5c:09:d5:54:9a:1d:
         bf:34:39:2b:1d:d1:8a:db:64:a4:fa:72:92:df:2d:39:89:52:
         bc:d5:a0:d7:9f:72:4a:81:9c:6b:bd:28:c9:e6:55:66:29:43:
         6b:94:34:22:c8:74:fc:ee:fe:34:ea:14:89:bd:a2:41:df:2e:
         48:44:af:59:f2:b7:f3:41

and is more or less useless without the certificate itself. The goal of a signature is to cryptographically validate that the given certificate was indeed signed by the issuer. I see no ways how it can be used when the certificate is already validated.

If you need something to uniquely identify a certificate, consider $ssl_client_fingerprint.

comment:5 by dmitry.rudenko.moneta.ru@…, 3 years ago

You are right, we need signature to identify a certificate.

$ssl_client_fingerprint value is too weak (sha1) for us.

$ssl_client_sha256_fingerprint and/or $ssl_client_sha512_fingerprint will be better

comment:6 by Maxim Dounin, 3 years ago

Resolution: wontfix
Status: newclosed

Ok, thank you for clarification. I'm closing this as the request to add $ssl_client_signature is clearly bogus.

If SHA1 of a trusted and verified certificate is not enough to identify a certificate in your case for some reason, you may consider opening another ticket about introducing a fingerprint with a different hash function.

Note: See TracTickets for help on using tickets.