Merge pull request #1126 from nghttp2/nghttpx-expired-client-cert
nghttpx: Add an option to accept expired client certificate
This commit is contained in:
commit
39f0ce7c25
|
@ -168,6 +168,7 @@ OPTIONS = [
|
||||||
"no-strip-incoming-x-forwarded-proto",
|
"no-strip-incoming-x-forwarded-proto",
|
||||||
"ocsp-startup",
|
"ocsp-startup",
|
||||||
"no-verify-ocsp",
|
"no-verify-ocsp",
|
||||||
|
"verify-client-tolerate-expired",
|
||||||
]
|
]
|
||||||
|
|
||||||
LOGVARS = [
|
LOGVARS = [
|
||||||
|
|
12
src/shrpx.cc
12
src/shrpx.cc
|
@ -2137,6 +2137,11 @@ SSL/TLS:
|
||||||
Path to file that contains CA certificates to verify
|
Path to file that contains CA certificates to verify
|
||||||
client certificate. The file must be in PEM format. It
|
client certificate. The file must be in PEM format. It
|
||||||
can contain multiple certificates.
|
can contain multiple certificates.
|
||||||
|
--verify-client-tolerate-expired
|
||||||
|
Accept expired client certificate. Operator should
|
||||||
|
handle the expired client certificate by some means
|
||||||
|
(e.g., mruby script). Otherwise, this option might
|
||||||
|
cause a security risk.
|
||||||
--client-private-key-file=<PATH>
|
--client-private-key-file=<PATH>
|
||||||
Path to file that contains client private key used in
|
Path to file that contains client private key used in
|
||||||
backend client authentication.
|
backend client authentication.
|
||||||
|
@ -3406,6 +3411,8 @@ int main(int argc, char **argv) {
|
||||||
{SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument,
|
{SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument,
|
||||||
&flag, 158},
|
&flag, 158},
|
||||||
{SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159},
|
{SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159},
|
||||||
|
{SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED.c_str(), no_argument, &flag,
|
||||||
|
160},
|
||||||
{nullptr, 0, nullptr, 0}};
|
{nullptr, 0, nullptr, 0}};
|
||||||
|
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
@ -4167,6 +4174,11 @@ int main(int argc, char **argv) {
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS,
|
cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS,
|
||||||
StringRef::from_lit("yes"));
|
StringRef::from_lit("yes"));
|
||||||
break;
|
break;
|
||||||
|
case 160:
|
||||||
|
// --verify-client-tolerate-expired
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED,
|
||||||
|
StringRef::from_lit("yes"));
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2173,6 +2173,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
break;
|
break;
|
||||||
case 30:
|
case 30:
|
||||||
switch (name[29]) {
|
switch (name[29]) {
|
||||||
|
case 'd':
|
||||||
|
if (util::strieq_l("verify-client-tolerate-expire", name, 29)) {
|
||||||
|
return SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 'r':
|
case 'r':
|
||||||
if (util::strieq_l("strip-incoming-x-forwarded-fo", name, 29)) {
|
if (util::strieq_l("strip-incoming-x-forwarded-fo", name, 29)) {
|
||||||
return SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR;
|
return SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR;
|
||||||
|
@ -3554,6 +3559,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
case SHRPX_OPTID_NO_VERIFY_OCSP:
|
case SHRPX_OPTID_NO_VERIFY_OCSP:
|
||||||
config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
|
config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED:
|
||||||
|
config->tls.client_verify.tolerate_expired = util::strieq_l("yes", optarg);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_CONF:
|
case SHRPX_OPTID_CONF:
|
||||||
LOG(WARN) << "conf: ignored";
|
LOG(WARN) << "conf: ignored";
|
||||||
|
|
|
@ -343,6 +343,8 @@ constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
|
||||||
StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
|
StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
|
||||||
constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
|
constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
|
||||||
constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
|
constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
|
||||||
|
constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
|
||||||
|
StringRef::from_lit("verify-client-tolerate-expired");
|
||||||
|
|
||||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||||
|
|
||||||
|
@ -602,6 +604,8 @@ struct TLSConfig {
|
||||||
// certificate validation
|
// certificate validation
|
||||||
StringRef cacert;
|
StringRef cacert;
|
||||||
bool enabled;
|
bool enabled;
|
||||||
|
// true if we accept an expired client certificate.
|
||||||
|
bool tolerate_expired;
|
||||||
} client_verify;
|
} client_verify;
|
||||||
|
|
||||||
// Client (backend connection) TLS configuration.
|
// Client (backend connection) TLS configuration.
|
||||||
|
@ -1125,6 +1129,7 @@ enum {
|
||||||
SHRPX_OPTID_USER,
|
SHRPX_OPTID_USER,
|
||||||
SHRPX_OPTID_VERIFY_CLIENT,
|
SHRPX_OPTID_VERIFY_CLIENT,
|
||||||
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
|
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
|
||||||
|
SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED,
|
||||||
SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
|
SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
|
||||||
SHRPX_OPTID_WORKER_READ_BURST,
|
SHRPX_OPTID_WORKER_READ_BURST,
|
||||||
SHRPX_OPTID_WORKER_READ_RATE,
|
SHRPX_OPTID_WORKER_READ_RATE,
|
||||||
|
|
|
@ -95,6 +95,12 @@ int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
|
||||||
if (!preverify_ok) {
|
if (!preverify_ok) {
|
||||||
int err = X509_STORE_CTX_get_error(ctx);
|
int err = X509_STORE_CTX_get_error(ctx);
|
||||||
int depth = X509_STORE_CTX_get_error_depth(ctx);
|
int depth = X509_STORE_CTX_get_error_depth(ctx);
|
||||||
|
if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
|
||||||
|
get_config()->tls.client_verify.tolerate_expired) {
|
||||||
|
LOG(INFO) << "The client certificate has expired, but is accepted by "
|
||||||
|
"configuration";
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
LOG(ERROR) << "client certificate verify error:num=" << err << ":"
|
LOG(ERROR) << "client certificate verify error:num=" << err << ":"
|
||||||
<< X509_verify_cert_error_string(err) << ":depth=" << depth;
|
<< X509_verify_cert_error_string(err) << ":depth=" << depth;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue