Hello!

On Sat, Oct 19, 2013 at 12:06:57AM +0100, Rob Stradling wrote:

> On 17/10/13 23:00, Piotr Sikora wrote:
> >Hey,
> >
> >>I would rather see ssl_certificates to be used this way, something
> >>like:
> >>
> >> ssl_certificate rsa.crt;
> >> ssl_certificate_key rsa.key;
> >>
> >> ssl_certificate ecc.crt;
> >> ssl_certificate_key ecc.key;
> >
> >Yeah, I'm in favor of that syntax as well.
> >
> >>AFAIR, OpenSSL only able to store one certificate chain per
> >>SSL_CTX, which is the root cause of the problem.
> >
> >That's solved in OpenSSL-1.0.2 (unreleased).
>
> Thanks Piotr. I tried building Nginx with my v2 patch against
> OpenSSL_1_0_2, but I didn't see any change in behaviour. i.e. With
> an RSA cert and an ECC cert issued by different CAs, Nginx sends the
> intermediate certs from both chains in both cases.
>
> Nginx uses SSL_CTX_add_extra_chain_cert(), and I think that might be
> the problem. That function's 1_0_2 man page says "Different chains
> for different certificates (for example if both RSA and DSA
> certificates are specified by the same server) or different SSL
> structures with the same parent SSL_CTX cannot be specified using
> this function. For more flexibility functions such as
> SSL_add1_chain_cert() should be used instead."
>
> I'll investigate more next week.

The SSL_add1_chain_cert() function documentation says:

: These functions were first added to OpenSSL 1.0.2.

That is, they aren't yet available.

> >For now, the one thing we could do is to let OpenSSL build certificate
> >chains from the trusted certificates store... In order to do that, all
> >we need to do is to load only the first certificate in the file (i.e.
> >don't load intermediate certificates) in case there are multiple
> >certificates defined. This way, OpenSSL will try to build the
> >certificate chain automatically (unfortunately, it will do that on the
> >fly for each connection, so it's a noticeable overhead).
>
> Yes, but (assuming "...from the trusted certificates store" would do
> syscalls and disk access for every connection) hasn't Maxim already
> said that that overhead would be unacceptable?

This would be bad for sure, but the message you've referenced says
about CApath vs. CAfile. We have the ssl_trusted_certificate
directive which loads certs to the trusted certificates store.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel