Welcome! Log In Create A New Profile

Advanced

Re: Certificate Chain Validation

Maxim Dounin
February 03, 2020 08:46AM
Hello!

On Thu, Jan 30, 2020 at 10:55:03AM -0500, slowgary wrote:

> Thanks for the correction Maxim. I tested this before posting by using an
> old certificate. Nginx did not throw an error but the browser did notify
> that the connection was insecure.

Depending on what exactly "certificate chain validation" in the
original question was intended to mean, there may be at least
three cases considered:

1. Certificate chains as configured for nginx itself, by using
within the ssl_certificate directive
(http://nginx.org/r/ssl_certificate). For these certificates
nginx does not try to do any validation (and in most cases it
simply can't do it - in particular, because it doesn't know the
name to be used by clients, and doesn't have a root certificate to
validate against).

2. Certificate chains as presented by a client, as per the
ssl_verify_client directive
(http://nginx.org/r/ssl_verify_client). These chains are always
properly validated, including expiration of all intermediate
certificates and the certificate itself.

3. Certificate chains as presented by an upstream server, when
using proxy_pass to an https://... URL. These chains are properly
validated as long as the proxy_ssl_verify directive is on
(http://nginx.org/r/proxy_ssl_verify). Note though that this is
not the default behaviour, and by default nginx will not try to
validate upstream server certificates at all.

Given that the original question asks if nginx will "proceed or
will it break the connection", I suspect the question is either
about (2) or (3), as (1) hardly make sense during a particular
connection handling.

If you think that you see nginx accepting an expired certificate
from a client, or accepting an expired certificate from an
upstream server with proxy_ssl_verify switched on - please report
more details.

If you've assumed (1), the statement you've made is anyway too
broad to be true, as clearly nginx _does_ validate the expiration
date of certificates - as long as it does any validation at all.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Certificate Chain Validation

gagandeep January 29, 2020 10:20AM

Re: Certificate Chain Validation

slowgary January 29, 2020 09:16PM

Re: Certificate Chain Validation

Maxim Dounin January 30, 2020 07:14AM

Re: Certificate Chain Validation

slowgary January 30, 2020 10:55AM

Re: Certificate Chain Validation

Maxim Dounin February 03, 2020 08:46AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 63
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready