# HG changeset patch # User Praveen Chaudhary # Date 1723406727 25200 # Sun Aug 11 13:05:27 2024 -0700 # Node ID 9006e478c2f2a2e023fba104aff9c175c3e17e49 # Parent b5550a7f16c795f394f9d1ac87132dd2b7ef0e41 Make ssl_client_certificate directive optional with TLSv1.3. - As per RFC 8446 Section 4.2.4, server MAY (not SHOULD or MUST) send Certificate Authorities (CAs) in the Certificate Request packet. This makes ssl_client_certificate directive optional when only TLS 1.3 is used for mutual TLS configurations. - Today, Nginx requires ssl_client_certificate directive to be set to CA Certificates file, if ssl_verify_client is enabled, even when using only TLS 1.3. Else Nginx does not reload or restart. diff -r b5550a7f16c7 -r 9006e478c2f2 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Fri Aug 09 19:12:26 2024 +0400 +++ b/src/http/modules/ngx_http_ssl_module.c Sun Aug 11 13:05:27 2024 -0700 @@ -787,10 +787,16 @@ if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); - return NGX_CONF_ERROR; + if (conf->protocols & ~NGX_SSL_TLSv1_3) { + /* + For TLS 1.3, It is optional to send Certificate Authorities in + Certificate Request Packet. RFC 8446#section-4.2.4 + */ + if (conf->client_certificate.len == 0 && conf->verify != 3) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl_client_certificate for ssl_verify_client"); + return NGX_CONF_ERROR; + } } if (ngx_ssl_client_certificate(cf, &conf->ssl, diff -r b5550a7f16c7 -r 9006e478c2f2 src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c Fri Aug 09 19:12:26 2024 +0400 +++ b/src/mail/ngx_mail_ssl_module.c Sun Aug 11 13:05:27 2024 -0700 @@ -450,12 +450,19 @@ if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); - return NGX_CONF_ERROR; + if (conf->protocols & ~NGX_SSL_TLSv1_3) { + /* + For TLS 1.3, It is optional to send Certificate Authorities in + Certificate Request Packet. RFC 8446#section-4.2.4 + */ + if (conf->client_certificate.len == 0 && conf->verify != 3) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl_client_certificate for ssl_verify_client"); + return NGX_CONF_ERROR; + } } + if (ngx_ssl_client_certificate(cf, &conf->ssl, &conf->client_certificate, conf->verify_depth) diff -r b5550a7f16c7 -r 9006e478c2f2 src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c Fri Aug 09 19:12:26 2024 +0400 +++ b/src/stream/ngx_stream_ssl_module.c Sun Aug 11 13:05:27 2024 -0700 @@ -932,10 +932,16 @@ if (conf->verify) { - if (conf->client_certificate.len == 0 && conf->verify != 3) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no ssl_client_certificate for ssl_verify_client"); - return NGX_CONF_ERROR; + if (conf->protocols & ~NGX_SSL_TLSv1_3) { + /* + For TLS 1.3, It is optional to send Certificate Authorities in + Certificate Request Packet. RFC 8446#section-4.2.4 + */ + if (conf->client_certificate.len == 0 && conf->verify != 3) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl_client_certificate for ssl_verify_client"); + return NGX_CONF_ERROR; + } } if (ngx_ssl_client_certificate(cf, &conf->ssl,