Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling
October 18, 2013 06:52PM
On 17/10/13 16:18, Maxim Dounin wrote:
<snip>
>> Issues I'm aware of with this patch:
>>
>> - It doesn't check that each of the certs has a different key type
>> (but perhaps it should). If you specify multiple certs with the
>> same algorithm, all but the last one will be ignored.
>
> Bad, but we could live with it if there will be no better way to
> do things.

We could call EVP_PKEY_type() for each private key, and throw an error
if there's >1 key of any particular type (EVP_PKEY_RSA, EVP_PKEY_DSA,
EVP_PKEY_EC).

But I think I'd prefer to "live with it". Future OpenSSL versions might
add new key types, or might make it possible for a server to offer
multiple certs of the same type (e.g. 2 ECC certs with different
curves). It would be nice if Nginx could support such enhancements
automatically.

>> - The certs and keys need to be specified in the correct order.
>> If you specify "my_rsa.crt my_ecc.crt" and "my_ecc.key my_rsa.key",
>> Nginx will start but it won't be able to complete any SSL
>> handshakes. This could be improved.
>
> This is certainly not something acceptable. There should be a
> better way to specify certs and keys.

Patch v2 (attached) checks that each cert and key are correctly paired.
If they're incorrectly paired, Nginx will throw an error and refuse to
start.

>> - It doesn't add the new feature to mail_ssl_module. Perhaps it should.
>
> This could wait.

Implemented in patch v2. Untested, but the changes are virtually
identical to the http_ssl_module changes.

>> - The changes I made to ngx_conf_set_str_array_slot() work for me,
>> but do they break anything?
>
> It doesn't look like changes we want. The
> ngx_conf_set_str_array_slot() function is intended to handle
> arrays like this:
>
> example_array_directive value1;
> example_array_directive value2;

Thanks for that tip. :-)

> I would rather see ssl_certificates to be used this way, something
> like:
>
> ssl_certificate rsa.crt;
> ssl_certificate_key rsa.key;
>
> ssl_certificate ecc.crt;
> ssl_certificate_key ecc.key;

I agree. Fixed in patch v2.

>> - An RSA cert and an ECC cert might well be issued by different
>> CAs. On Apache httpd, you have to use SSLCACertificatePath to
>> persuade OpenSSL to send different Intermediate certs for each one.
>> Nginx doesn't currently have an equivalent directive, and Maxim has
>> previously said it's unlikely to be added [1].
>> I haven't researched this properly yet, but I think it might be
>> possible to do "certificate path" in memory (i.e. without syscalls
>> and disk access on each certificate check) using the OpenSSL
>> X509_LOOKUP API.
>
> AFAIR, OpenSSL only able to store one certificate chain per
> SSL_CTX, which is the root cause of the problem.

I think you're right. I've not tried to address this yet.

>> - I expect Maxim will have other comments. :-)
>
> One thing which instantly comes in mind is SSL Stapling related
> issues.

Ah yes. The Nginx stapling code seems to assume one cert and therefore
one OCSP Response. So, I think it needs updating to handle multiple
certs and OCSP Responses and to call SSL_get_certificate(SSL*) to get
the cert that the server has selected to send to the client. I've not
tried to address this yet.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 435 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 465 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 457 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 427 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 427 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready