Welcome! Log In Create A New Profile

Re: Certificate Chain Validation

Forum List Message List New Topic Print View

Maxim Dounin

February 03, 2020 08:46AM

Hello!

On Thu, Jan 30, 2020 at 10:55:03AM -0500, slowgary wrote:

> Thanks for the correction Maxim. I tested this before posting by using an
> old certificate. Nginx did not throw an error but the browser did notify
> that the connection was insecure.

Depending on what exactly "certificate chain validation" in the
original question was intended to mean, there may be at least
three cases considered:

1. Certificate chains as configured for nginx itself, by using
within the ssl_certificate directive
(http://nginx.org/r/ssl_certificate). For these certificates
nginx does not try to do any validation (and in most cases it
simply can't do it - in particular, because it doesn't know the
name to be used by clients, and doesn't have a root certificate to
validate against).

2. Certificate chains as presented by a client, as per the
ssl_verify_client directive
(http://nginx.org/r/ssl_verify_client). These chains are always
properly validated, including expiration of all intermediate
certificates and the certificate itself.

3. Certificate chains as presented by an upstream server, when
using proxy_pass to an https://... URL. These chains are properly
validated as long as the proxy_ssl_verify directive is on
(http://nginx.org/r/proxy_ssl_verify). Note though that this is
not the default behaviour, and by default nginx will not try to
validate upstream server certificates at all.

Given that the original question asks if nginx will "proceed or
will it break the connection", I suspect the question is either
about (2) or (3), as (1) hardly make sense during a particular
connection handling.

If you think that you see nginx accepting an expired certificate
from a client, or accepting an expired certificate from an
upstream server with proxy_ssl_verify switched on - please report
more details.

If you've assumed (1), the statement you've made is anyway too
broad to be true, as clearly nginx _does_ validate the expiration
date of certificates - as long as it does any validation at all.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Certificate Chain Validation	gagandeep	January 29, 2020 10:20AM
Re: Certificate Chain Validation	slowgary	January 29, 2020 09:16PM
Re: Certificate Chain Validation	Maxim Dounin	January 30, 2020 07:14AM
Re: Certificate Chain Validation	slowgary	January 30, 2020 10:55AM
Re: Certificate Chain Validation	Maxim Dounin	February 03, 2020 08:46AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 202

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018