Hello! On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote:
> Hi everyone, > > this is my first post on this mailing list, so bear with me :-) > > Sorry if my question is silly, but I haven't found any way to use a > sha256 fingerprint for client certificate validation in Nginx. Sha1 > fingerprints work fine but we are slowly going toward sha256 as hashing > function by default. The ngx_http_ssl_module documentation explicitly > specify only sha1 [1]. > > I have seen in the Trac that there is a issue open about that [2]. > Perhaps there a good reason for not having it currently. I'll be glad to > hear from you all. We are using ssl client auth for WAPT project [3] > which automates Windows workstation software install and update. The $ssl_client_fingerprint variable represents a fingerprint of a certificate which is already verified based on trusted CA certificates listed in the ssl_client_certificate directive. As such, from security point of view using SHA-1 hash function shouldn't be a problem, as it merely identifies one of the certificates previously signed (and validated). If you are trying to use $ssl_client_fingerprint literally "for client certificate validation", you are probably doing it wrong. In some setups it might be more convenient to use SHA-256 instead of SHA-1, though for now we haven't seen such requests. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx