mirror of
https://github.com/nginx/nginx.git
synced 2024-11-23 20:19:02 +08:00
SSL: optional ssl_client_certificate for ssl_verify_client.
Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names. In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.
In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version. For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.
The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142). Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed. A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db
).
Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>
This commit is contained in:
parent
1a64c196a7
commit
18afcda938
@ -787,9 +787,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
if (conf->verify) {
|
if (conf->verify) {
|
||||||
|
|
||||||
if (conf->client_certificate.len == 0 && conf->verify != 3) {
|
if (conf->verify != 3
|
||||||
|
&& conf->client_certificate.len == 0
|
||||||
|
&& conf->trusted_certificate.len == 0)
|
||||||
|
{
|
||||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||||
"no ssl_client_certificate for ssl_verify_client");
|
"no ssl_client_certificate or "
|
||||||
|
"ssl_trusted_certificate for ssl_verify_client");
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -450,9 +450,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
if (conf->verify) {
|
if (conf->verify) {
|
||||||
|
|
||||||
if (conf->client_certificate.len == 0 && conf->verify != 3) {
|
if (conf->verify != 3
|
||||||
|
&& conf->client_certificate.len == 0
|
||||||
|
&& conf->trusted_certificate.len == 0)
|
||||||
|
{
|
||||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||||
"no ssl_client_certificate for ssl_verify_client");
|
"no ssl_client_certificate or "
|
||||||
|
"ssl_trusted_certificate for ssl_verify_client");
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1008,9 +1008,13 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||||||
|
|
||||||
if (conf->verify) {
|
if (conf->verify) {
|
||||||
|
|
||||||
if (conf->client_certificate.len == 0 && conf->verify != 3) {
|
if (conf->verify != 3
|
||||||
|
&& conf->client_certificate.len == 0
|
||||||
|
&& conf->trusted_certificate.len == 0)
|
||||||
|
{
|
||||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||||
"no ssl_client_certificate for ssl_verify_client");
|
"no ssl_client_certificate or "
|
||||||
|
"ssl_trusted_certificate for ssl_verify_client");
|
||||||
return NGX_CONF_ERROR;
|
return NGX_CONF_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user