Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
October 19, 2013 06:16AM
Hello!

On Sat, Oct 19, 2013 at 12:06:57AM +0100, Rob Stradling wrote:

> On 17/10/13 23:00, Piotr Sikora wrote:
> >Hey,
> >
> >>I would rather see ssl_certificates to be used this way, something
> >>like:
> >>
> >> ssl_certificate rsa.crt;
> >> ssl_certificate_key rsa.key;
> >>
> >> ssl_certificate ecc.crt;
> >> ssl_certificate_key ecc.key;
> >
> >Yeah, I'm in favor of that syntax as well.
> >
> >>AFAIR, OpenSSL only able to store one certificate chain per
> >>SSL_CTX, which is the root cause of the problem.
> >
> >That's solved in OpenSSL-1.0.2 (unreleased).
>
> Thanks Piotr. I tried building Nginx with my v2 patch against
> OpenSSL_1_0_2, but I didn't see any change in behaviour. i.e. With
> an RSA cert and an ECC cert issued by different CAs, Nginx sends the
> intermediate certs from both chains in both cases.
>
> Nginx uses SSL_CTX_add_extra_chain_cert(), and I think that might be
> the problem. That function's 1_0_2 man page says "Different chains
> for different certificates (for example if both RSA and DSA
> certificates are specified by the same server) or different SSL
> structures with the same parent SSL_CTX cannot be specified using
> this function. For more flexibility functions such as
> SSL_add1_chain_cert() should be used instead."
>
> I'll investigate more next week.

The SSL_add1_chain_cert() function documentation says:

: These functions were first added to OpenSSL 1.0.2.

That is, they aren't yet available.

> >For now, the one thing we could do is to let OpenSSL build certificate
> >chains from the trusted certificates store... In order to do that, all
> >we need to do is to load only the first certificate in the file (i.e.
> >don't load intermediate certificates) in case there are multiple
> >certificates defined. This way, OpenSSL will try to build the
> >certificate chain automatically (unfortunately, it will do that on the
> >fly for each connection, so it's a noticeable overhead).
>
> Yes, but (assuming "...from the trusted certificates store" would do
> syscalls and disk access for every connection) hasn't Maxim already
> said that that overhead would be unacceptable?

This would be bad for sure, but the message you've referenced says
about CApath vs. CAfile. We have the ssl_trusted_certificate
directive which loads certs to the trusted certificates store.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 430 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 424 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 432 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 655 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 403 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 55
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready