Welcome! Log In Create A New Profile

Advanced

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

August 10, 2012 05:28AM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Tue, Jul 31, 2012 at 11:21:26AM -0400,
> ffeldhaus wrote:
>
> > Hi,
> >
> > Maxim Dounin Wrote:
> > >
> > > Hello!
> > >
> > > On Tue, Jul 31, 2012 at 05:43:31AM -0400,
> > > ffeldhaus wrote:
> > >
> > > > For a project as part of the European Grid
> > > Infrastructure (EGI) we need
> > > > SSL client certificate verification for a
> > > service running on nginx. As
> > > > there are several root CAs allowed within
> EGI,
> > > we need nginx to check
> > > > them all during client certificate
> validation.
> > > In the documentation of
> > > > nginx I could only find the parameter
> > > ssl_client_certificate which
> > > > allows to specify just one file containing a
> > > root certificate.
> > > >
> > > > Is there a way to specify more than one root
> CA
> > > for client certificate
> > > > verification in nginx or do I have to use
> Apache
> > > for this?
> > >
> > > Yes. Just put multiple root CA certificates
> into
> > > a file specified
> > > in the ssl_client_certificate directive.
> > >
> > > Note the docs explicitly say "certificates"
> > > (plural), see
> > > http://nginx.org/r/ssl_client_certificate.
> >
> > I had hoped there would be another way. Putting
> the currently 105
> > certificates in one file may work, but the
> problem is, that the
> > certificates may change and with 105 CA
> certificates at the moment the
> > chance that a certificate is updated/revoked is
> not negligible anymore.
>
> If CA certificate is updated/revoked it probably
> needs some double
> checking by a human anyway. Updating the file and
> asking nginx to
> reload it's config isn't going to be a big deal
> then.

I don't agree. For most Linux distributions you get a list of CA certificates automatically installed and they are often updated transparent to the administrator. For EGI this is even more true, as there is a secure, certified way how certificates are created / updated / removed by a daily cron job. Again, this is transparent to the user.

> > I could write a cron job to update the single
> certificate file after
> > each update, but it would be much easier if
> nginx would support multiple
> > CA certificate files out of the box. For Apache
> there is a directive
> > called SSLCACertificatePath to do just this. Do
> you think this could be
> > a feature worth implementing in Nginx? If so,
> how could I help?
>
> "Certificate file" vs "certificate path"
> difference isn't about
> running something after updates of certificates or
> not (in both
> cases you have to update something, either cat to
> a single file or
> the c_rehash script to create symbolic links in
> case of CApath).
> The difference is about certificates in memory vs.
> certficates on
> disk, and the later implies syscalls and disk
> access on each
> certificate check.
>
> As nginx is designed to work under high loads,
> with many requests
> (and handshakes) per second, it uses CAfile
> variant. And as nginx
> configuration reload is seamless, it's unlikely
> the CApath variant
> will add any extra value.

I disagree. The fastest way to do a lookup is to use the hash based filename lookup. If there are lots of certificates in one file, the lookup will take a lot longer then the creation of a hash for the CA to be looked up and then the lookup using the hash based filenames of the CA certificates. It would be interesting to see why the Apache guys are using the hash based CA lookup and also a profiling of file vs. directory based CA lookup. If I find the time, I will measure the response time for Apache using both methods and compare them to Nginx.

Cheers,
Florian
Subject Author Posted

Does Nginx allow to specify multiple root certificates for client certificate verification?

ffeldhaus July 31, 2012 05:43AM

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

Maxim Dounin July 31, 2012 06:48AM

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

ffeldhaus July 31, 2012 11:21AM

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

Maxim Dounin July 31, 2012 12:50PM

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

ffeldhaus August 10, 2012 05:28AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 52
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready