atom feed20 messages in ru.sysoev.nginxRe: New SSL features for Nginx.
FromSent OnAttachments
Brice FigureauJul 21, 2009 11:01 am 
Igor SysoevJul 22, 2009 1:43 am 
Brice FigureauJul 22, 2009 3:21 am 
Brice FigureauJul 22, 2009 4:39 am 
Igor SysoevJul 22, 2009 5:15 am 
Igor SysoevJul 22, 2009 7:52 am.optional
Brice FigureauJul 22, 2009 10:15 am 
Brice FigureauJul 22, 2009 10:20 am 
Igor SysoevJul 22, 2009 11:38 am 
Igor SysoevJul 22, 2009 11:42 am 
Brice FigureauJul 22, 2009 12:13 pm 
Igor SysoevJul 22, 2009 12:23 pm 
Brice FigureauJul 22, 2009 2:17 pm 
Tom KeyserJul 22, 2009 5:50 pm 
Glen LumanauJul 22, 2009 5:59 pm 
Edward MiddletonJul 22, 2009 7:26 pm 
Cliff WellsJul 22, 2009 8:22 pm 
Igor SysoevJul 23, 2009 12:08 am 
Igor SysoevJul 23, 2009 12:56 am.crl
Brice FigureauJul 23, 2009 4:32 am 
Subject:Re: New SSL features for Nginx.
From:Brice Figureau (bric@daysofwonder.com)
Date:Jul 22, 2009 4:39:34 am
List:ru.sysoev.nginx

On Wed, 2009-07-22 at 12:21 +0200, Brice Figureau wrote:

Hi Igor,

On Wed, 2009-07-22 at 12:44 +0400, Igor Sysoev wrote:

On Tue, Jul 21, 2009 at 08:02:05PM +0200, Brice Figureau wrote:

Hi,

For Puppet[1] Nginx deployement (that is using Nginx as a front-end load-balancers to puppetmasters[2]), I had to create the following two patches, to match Apache behaviour:

* The first patch allows: + a new variant of ssl_client_verify: optional. In this mode, if the client sends a certificate it is verified, but if the client doesn't send a certificate, the connection is authorized too.

+ a new variable: $ssl_client_verify which contains, either NONE, SUCCESS or FAILURE depending on the verification status. It can be used to send information to the upstream about the client verification.

* The second patch adds CRL support to the client certificate verification:

ssl_crl /path/to/crl.pem;

Nginx then verifies the client certificate hasn't been revoked in the given CRL before allowing the connection to proceed.

For access to the patches, please see my last blog article: http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/

It would be great if those patches could be merged in the official Nginx source tree.

Thank you, I have looked the patches, it was really surpise for me that OpenSSL 0.9.7 supports CRL. I read in old enough book "Network Security with OpenSSL" written when 0.9.7 was being developed, that OpenSSL has no built-in CRL support.

Ah, ok. I based all my development on OpenSSL 0.9.8, since that's what I'm building Nginx againt. And definitely there is CRL support. Is OpenSSL 0.9.7 a strict dependency for Nginx?

Then I have looked in Apache's mod_ssl sources and its CRL support seemed to me very heavy: mod_ssl does a lot of useless operations.

Which ones? What I don't get is why they're doing the CRL verification themselves. I found this comment in the code: * OpenSSL provides the general mechanism to deal with CRLs but does not * use them automatically when verifying certificates, so we do it * explicitly here. We will check the CRL for the currently checked * certificate, if there is such a CRL in the store.

This seems wrong to me, as I already tested, and it works fine at least in version 0.9.8.

I think that it's enough to store hash of only public key of all CRL certificates (including intermediate ones).

Why reinvent the wheel? The CRL is a standard thing (see RFC 3280), and basically this is a DER encoded ASN1 structure containing the list of the revoked certificates serial number, signed by the CA cert.

Have you looked how CRL is implemented in OpenSSL ?

Yes, I did. It is pretty extensive, and matches RFC3280.

I'll fetch OpenSSL 0.9.7 to see if it supports or not CRL, but I'd be suprised it wouldn't.

Good news! I checked the OpenSSL Changelog and CRL verification has been added in version 0.9.7. So if Nginx requires this version (and up), which is I think what it does, then my CRL patch is enough to get CRL support for Nginx :-)

Thanks,

-- Brice Figureau My Blog: http://www.masterzen.fr/