On Jan 10, 2017, at 3:41 PM, Ethan Rahn via nginx-devel <nginx-devel@nginx.org> wrote: > > Hello, > > I noticed that nginx does not check x509v3 certificates ( in > event/ngx_event_openssl.c::ngx_ssl_get_client_verify as an example ) to see > that the optional extended key usage settings are correct. I have a patch for > this that I would like to contribute, but I'm unable to find contribution > guidelines on the nginx web-site. http://nginx.org/en/docs/contributing_changes.html
> The effect of this issue is that someone could offer a client certificate > that has extended key usage set to say, serverAuth. This would be a violation > of RFC 5280 - Section 4.2.1.12. I fix this by checking the bitfield manually > to see that the settings are correct. > > Cheers, > > Ethan > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
