20 messages in ru.sysoev.nginxRe: New SSL features for Nginx.| From | Sent On | Attachments |
|---|---|---|
| Brice Figureau | Jul 21, 2009 11:01 am | |
| Igor Sysoev | Jul 22, 2009 1:43 am | |
| Brice Figureau | Jul 22, 2009 3:21 am | |
| Brice Figureau | Jul 22, 2009 4:39 am | |
| Igor Sysoev | Jul 22, 2009 5:15 am | |
| Igor Sysoev | Jul 22, 2009 7:52 am |  .optional |
| Brice Figureau | Jul 22, 2009 10:15 am | |
| Brice Figureau | Jul 22, 2009 10:20 am | |
| Igor Sysoev | Jul 22, 2009 11:38 am | |
| Igor Sysoev | Jul 22, 2009 11:42 am | |
| Brice Figureau | Jul 22, 2009 12:13 pm | |
| Igor Sysoev | Jul 22, 2009 12:23 pm | |
| Brice Figureau | Jul 22, 2009 2:17 pm | |
| Tom Keyser | Jul 22, 2009 5:50 pm | |
| Glen Lumanau | Jul 22, 2009 5:59 pm | |
| Edward Middleton | Jul 22, 2009 7:26 pm | |
| Cliff Wells | Jul 22, 2009 8:22 pm | |
| Igor Sysoev | Jul 23, 2009 12:08 am | |
| Igor Sysoev | Jul 23, 2009 12:56 am | .crl |
| Brice Figureau | Jul 23, 2009 4:32 am |
| Subject: | Re: New SSL features for Nginx. | |
|---|---|---|
| From: | Igor Sysoev (is...@rambler-co.ru) | |
| Date: | Jul 22, 2009 1:43:59 am | |
| List: | ru.sysoev.nginx | |
On Tue, Jul 21, 2009 at 08:02:05PM +0200, Brice Figureau wrote:
Hi,
For Puppet[1] Nginx deployement (that is using Nginx as a front-end load-balancers to puppetmasters[2]), I had to create the following two patches, to match Apache behaviour:
* The first patch allows: + a new variant of ssl_client_verify: optional. In this mode, if the client sends a certificate it is verified, but if the client doesn't send a certificate, the connection is authorized too.
+ a new variable: $ssl_client_verify which contains, either NONE, SUCCESS or FAILURE depending on the verification status. It can be used to send information to the upstream about the client verification.
* The second patch adds CRL support to the client certificate verification:
ssl_crl /path/to/crl.pem;
Nginx then verifies the client certificate hasn't been revoked in the given CRL before allowing the connection to proceed.
For access to the patches, please see my last blog article: http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
It would be great if those patches could be merged in the official Nginx source tree.
Thank you, I have looked the patches, it was really surpise for me that OpenSSL 0.9.7 supports CRL. I read in old enough book "Network Security with OpenSSL" written when 0.9.7 was being developed, that OpenSSL has no built-in CRL support. Then I have looked in Apache's mod_ssl sources and its CRL support seemed to me very heavy: mod_ssl does a lot of useless operations. I think that it's enough to store hash of only public key of all CRL certificates (including intermediate ones). Have you looked how CRL is implemented in OpenSSL ?
-- Igor Sysoev http://sysoev.ru/en/