Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#315 closed defect (invalid)

Malformed client SSL certificate while setting as header

Reported by: Амир Ахмадович Касимов Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.2.x
Keywords: ssl, proxy Cc:
uname -a: Linux hades 3.5.1-gentoo #17 SMP Mon Feb 4 15:03:21 IRST 2013 x86_64 Intel(R) Co
re(TM)2 Duo CPU T5800 @ 2.00GHz GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.2.6
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log
-path=/var/log/nginx/error_log --pid-path=/var/run/nginx.pid --lock-path=/var/lo
ck/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib --http-log-p
ath=/var/log/nginx/access_log --http-client-body-temp-path=/var/tmp/nginx/client
--http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/n
ginx/fastcgi --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/v
ar/tmp/nginx/uwsgi --with-ipv6 --with-pcre --with-http_realip_module --with-http
_ssl_module --without-mail_imap_module --without-mail_pop3_module --without-mail
_smtp_module --user=nginx --group=nginx

Description

When i check for SSL client certificate ($ssl_client_cert with HttpSslModule set by proxy_set_header) see invalid PEM format:

-----BEGIN CERTIFICATE-----
 MIIDOzCCAiOgAwIBAgIAMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNVBAYTAklSMQ8w
 DQYDVQQIEwZUZWhyYW4xDzANBgNVBAcTBlRlaHJhbjENMAsGA1UEChMEbWVoLjEn
 MCUGA1UECxMeRG9jcnlwdG8gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MREwDwYDVQQD
 EwhEb2NyeXB0bzAeFw0xMzAzMDkwNjU3MzBaFw0xNDAzMDkwNjU3MzBaMGgxCzAJ
 BgNVBAYTAklSMQ8wDQYDVQQIEwZUZWhyYW4xDzANBgNVBAcTBlRlaHJhbjENMAsG
 A1UEChMEbWVoLjEWMBQGA1UECxMNRG9jcnlwdG8gVXNlcjEQMA4GA1UEAxQHVXNl
 ciAjMTCBnzANBKDMWDW02!@E/DWADAOBjQAwgYkCgYEAxbaOyi8i1dSJ/61aBCFk
 1GjrHL47oDvlIMd72LGN/zI4opAo4KHUMQNr/DySpF4/P04udN2iP00gPhpxcnYZ
 q1Qmz1Zhw2NoQFRflMMPXYz9bPrJWs8KzW6wrPso14kfZ7MiF4f7gtQteFaaXDTB
 xfkCUBlGOAgKRzceJBYx/78CAwEAAaNjMGEwCQYDVR0TBAIwADA1BglghkgBhvhC
 AQ0EKBYmcHlPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYD
 VR0OBBYEFHS4mh1BAojbEQx6FTvoAJcL7FAAMA0GCSqGSIb3DQEBBQUAA4IBAQB7
 Asejey8exTGlEoVhMmfQAdZ2zeWJWLGEa2nIbl1wyTnHGazPCJdxygl+ildDPt0k
 9dcQx6qT55wBGm85AvbeZC5T2chVEEHOwtdLcMSGO2LRVVZlAjBXK4vxv/bHMj/P
 OnaSZnGhRCeWYM88AgFCO1n/h7IcRj/hkoAkVV8uGuB+/SEW3VVQRYBnBBXLU32B
 b3bjTsMsXHOr48v55ZnPUKC66oR9RstbCaoWDLWDSLDqpwTJAWc7eOyiaey/Pox9
 Iiy6D7DAMfDJVgvVBQMXl+uvTrz6ZhdBl/utzoHuiyodGmU5K5e5RX2dTYGeuh64
 RrJ9UJ170Mx7OEoceIjY
 -----END CERTIFICATE-----

Note extraneous space after first line. This needs a hack for applications working with client certification.

Change History (2)

comment:1 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

You may find unmodified client's certificate in the $ssl_client_raw_cert variable. Downside is that it can't be used in proxy_set_header as a header value due to newlines (the $ssl_client_cert variable appends a whitespace after each newline to use header continuation).

comment:2 by Амир Ахмадович Касимов, 8 years ago

Sorry. I though It's possible to pass header values containing LF since separator is CRLF. Seems i was wrong..

Note: See TracTickets for help on using tickets.