ssl_client_fingerprint and sha256
Hi everyone, this is my first post on this mailing list, so bear with me :-) Sorry if my question is silly, but I haven't found any way to use a sha256 fingerprint for client certificate validation in Nginx. Sha1 fingerprints work fine but we are slowly going toward sha256 as hashing function by default. The ngx_http_ssl_module documentation explicitly specify only sha1 [1]. I have seen in the Trac that there is a issue open about that [2]. Perhaps there a good reason for not having it currently. I'll be glad to hear from you all. We are using ssl client auth for WAPT project [3] which automates Windows workstation software install and update. Cheers, Denis [1] http://nginx.org/en/docs/http/ngx_http_ssl_module.html [2] https://trac.nginx.org/nginx/ticket/1302 [3] https://doc.wapt.fr -- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint Sébastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: ssl_client_fingerprint and sha256
Hello! On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote: > Hi everyone, > > this is my first post on this mailing list, so bear with me :-) > > Sorry if my question is silly, but I haven't found any way to use a > sha256 fingerprint for client certificate validation in Nginx. Sha1 > fingerprints work fine but we are slowly going toward sha256 as hashing > function by default. The ngx_http_ssl_module documentation explicitly > specify only sha1 [1]. > > I have seen in the Trac that there is a issue open about that [2]. > Perhaps there a good reason for not having it currently. I'll be glad to > hear from you all. We are using ssl client auth for WAPT project [3] > which automates Windows workstation software install and update. The $ssl_client_fingerprint variable represents a fingerprint of a certificate which is already verified based on trusted CA certificates listed in the ssl_client_certificate directive. As such, from security point of view using SHA-1 hash function shouldn't be a problem, as it merely identifies one of the certificates previously signed (and validated). If you are trying to use $ssl_client_fingerprint literally "for client certificate validation", you are probably doing it wrong. In some setups it might be more convenient to use SHA-256 instead of SHA-1, though for now we haven't seen such requests. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: ssl_client_fingerprint and sha256
Priviet! On Mon, Dec 02, 2019 at 10:55:09AM +0100, Denis Cardon wrote: Hi everyone, this is my first post on this mailing list, so bear with me :-) Sorry if my question is silly, but I haven't found any way to use a sha256 fingerprint for client certificate validation in Nginx. Sha1 fingerprints work fine but we are slowly going toward sha256 as hashing function by default. The ngx_http_ssl_module documentation explicitly specify only sha1 [1]. I have seen in the Trac that there is a issue open about that [2]. Perhaps there a good reason for not having it currently. I'll be glad to hear from you all. We are using ssl client auth for WAPT project [3] which automates Windows workstation software install and update. The $ssl_client_fingerprint variable represents a fingerprint of a certificate which is already verified based on trusted CA certificates listed in the ssl_client_certificate directive. As such, from security point of view using SHA-1 hash function shouldn't be a problem, as it merely identifies one of the certificates previously signed (and validated). If you are trying to use $ssl_client_fingerprint literally "for client certificate validation", you are probably doing it wrong. In some setups it might be more convenient to use SHA-256 instead of SHA-1, though for now we haven't seen such requests. Actually it is the last case : it is more for convenience of not storing both SHA-1 and SHA-256 fingerprints on the server... As you say it is not a security issue, but when having security audit (we will have to renew our CSPN [1] certification on WAPT next year), one has to explain why using older cryptography is not an issue in the specific use case. So we will just do the explanation. Spasibo a lot for your explanations! Denis [1] https://www.ssi.gouv.fr/en/security-visa/ -- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint Sébastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
