Welcome! Log In Create A New Profile

Advanced

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin
March 02, 2015 09:52AM
Hello!

On Sun, Mar 01, 2015 at 07:05:43AM -0500, shumisha wrote:

> Hi
> I'm facing this problem as well, though in a different context: OCSP
> stapling. Everything looks good without OCSP stapling: my ssl_certificate
> file contain my domain (wildcard) cert from AlphaSSL, that doesn't require
> any intermediate cert, so the domain cert is the only one in that file.
>
> However to enable OCSP stapling, I have to specify the full cert chain in
> ssl_trusted_certificate. I do this by including first GlobalSign root, then
> alpha SSL intermediate. This works fine, and OCSP stapling is operating
> normally.
>
> But as a side effect, now clients also receives the full chain of
> certificates. I think, from your response above, that openssl auto chain
> building is responsible for that (you also made the same reply in
> http://forum.nginx.org/read.php?2,248153,248168#msg-248168)
>
> 1 - You say: "It shouldn't happen as long as there is at least one
> intermediate cert in ssl_certificate file". That's precisely what I want to
> avoid, include the while chain in the ssl_certificate file. Only adding
> alphassl intermediate cert in ssl_certificate (ie NO adding GlobalSign root
> cert) results in an error #20)
>
> 2 - Googling a bit more, and totally shooting in the dark here, I also found
> that Openssl has an SSL_MODE_NO_AUTO_CHAIN flag that "...Allow an
> application to disable the automatic SSL chain building....". Isn't it
> something you could use to disable the auto chain building? (originated from
> http://t93518.encryption-openssl-development.encryptiontalk.info/ssl-server-root-certs-and-client-auth-t93518.html
> I think)
>
> Thanks for any input anyway!

Thanks, this looks like correct flag to use. Try the following
patch:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -277,6 +277,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif

+#ifdef SSL_MODE_NO_AUTO_CHAIN
+ SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
+#endif
+
SSL_CTX_set_read_ahead(ssl->ctx, 1);

SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);


--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Does ssl_trusted_certificate actually send certs to client?

Julian Simioni February 12, 2015 05:04AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin February 12, 2015 08:14AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 01, 2015 07:05AM

Re: Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin March 02, 2015 09:52AM

Re: Does ssl_trusted_certificate actually send certs to client?

shumisha March 02, 2015 10:53AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 73
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready