Maxim Dounin
February 12, 2015 08:14AM
Hello!

On Thu, Feb 12, 2015 at 11:02:34AM +0100, Julian Simioni wrote:

> Hi all,
> I have an Nginx 1.7.6 server serving HTTPS content, and I've been
> tweaking the configuration lately to ensure it is secure and
> performant[1].
>
> One component of this is ensuring that the intermediate certificate from
> my CA is sent along to any clients connecting to my server, to ensure
> they don't have to fetch it from somewhere else and risk at best a
> longer connection time, and at worst some sort of (unlikely) tampering.
>
> The traditional way to do this, as far as I'm aware, is to concatenate
> any intermediate certs, as well as the actual certificate for your
> domain, into one file, and then tell Nginx about it using the
> ssl_client_certificate directive. This works great, but I wanted to see
> if there was a way to keep the different certificates in different
> files, just for clarity and ease of maintenance. I put the intermediate
> cert in another file and told Nginx about it with the
> ssl_trusted_certificate directive, and everything worked great!

Both ssl_client_certificate and ssl_trusted_certificate will load
certificates to the trusted store, and OpenSSL will use these
certs to build the certificate chain at runtime if one wasn't
explicitly provided.

That is, it's a [mis]feature of the OpenSSL library which leads to
such behaviour.

While one can use this to construct certificate chains as of now,
it's not a recommended approach because:

- this consumes more CPU power, as the chain will be constructed
at runtime;

- this is not something we (at least I) consider to be a good
feature, and if/when it will be possible to stop OpenSSL from
doing this - we'll do so.

> However, the docs[2] for ssl_trusted_certificate specifically state the
> following:
>
> In contrast to the certificate set by ssl_client_certificate, the list
> of these certificates will not be sent to clients.

This note is not about certificate chain sent to the client, but
about the _list_ of certificates sent to clients while requesting
client certificates. See RFC5246, 7.4.4. Certificate Request,
https://tools.ietf.org/html/rfc5246#section-7.4.4 - the list is
sent in the certificate_authorities field of the Certificate
Request message to let clients know which authorities are accepted
by the server.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Does ssl_trusted_certificate actually send certs to client?

Julian Simioni February 12, 2015 05:04AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin February 12, 2015 08:14AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 01, 2015 07:05AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin March 02, 2015 09:52AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 02, 2015 10:53AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 100
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready