feature: add ssl trusted certificate #2329
Conversation
theweakgod
changed the title
|
Will you show us a detailed example of the mTLS failed |
The scenario is as follows: verify_client will send the subject names of all CA. However, we do not want to expose the root subject name, so verify_client only wants to send the subject names of the intermediate CA to the client. So we only set intermediate CA in verify_client, but this will cause the verification to fail because the root CA is not trusted. We have tried configuring nginx ssl_trusted_certificate and simultaneously calling verify_client to send the intermediate CA, but found it doesn't work. After reading the source code, I discovered that verify_client overrides the cert->verify_store configured in nginx, and this operation is implicit in verify_client. So, I created this pull request. This scenario can be resolved by configuring nginx as follows: ssl_client_certificate client-server.crt; More details can be found in Test 13(140-ssl-c-api.t). |
src/ngx_http_lua_ssl_certby.c
Outdated
| @@ -1468,8 +1468,8 @@ ngx_http_lua_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) | |||
|
|
|||
|
|
|||
| int | |||
| ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs, | |||
| int depth, char **err) | |||
| ngx_http_lua_ffi_ssl_verify_client(ngx_http_request_t *r, void *ca_certs, | |||
There was a problem hiding this comment.
please remove the trailing space
src/ngx_http_lua_ssl_certby.c
Outdated
| *err = "X509_STORE_add_cert() failed"; | ||
| goto failed; | ||
| if (trusted_chain != NULL) { | ||
|
|
There was a problem hiding this comment.
remove the extra blank line
This mainly adds the ssl_trusted_certificate feature to avoid issues where CA authentication issued by secondary certificates cannot succeed in mTLS. Added the trusted_cert parameter option for verify_client.
I have made the corresponding modifications at the lua-resty-core:
openresty/lua-resty-core#473