On 19/10/13 11:14, Maxim Dounin wrote:
<snip>
>> I'll investigate more next week.
>
> The SSL_add1_chain_cert() function documentation says:
>
> : These functions were first added to OpenSSL 1.0.2.
>
> That is, they aren't yet available.

True. FWIW, changing "SSL_CTX_add_extra_chain_cert" to
"SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling against
OpenSSL_1_0_2 does give the desired behaviour though.

>>> For now, the one thing we could do is to let OpenSSL build certificate
>>> chains from the trusted certificates store... In order to do that, all
>>> we need to do is to load only the first certificate in the file (i.e.
>>> don't load intermediate certificates) in case there are multiple
>>> certificates defined. This way, OpenSSL will try to build the
>>> certificate chain automatically (unfortunately, it will do that on the
>>> fly for each connection, so it's a noticeable overhead).
>>
>> Yes, but (assuming "...from the trusted certificates store" would do
>> syscalls and disk access for every connection) hasn't Maxim already
>> said that that overhead would be unacceptable?
>
> This would be bad for sure, but the message you've referenced says
> about CApath vs. CAfile. We have the ssl_trusted_certificate
> directive which loads certs to the trusted certificates store.

Ah, I see. It's just "CApath" that you want to avoid, and
ssl_trusted_certificate is basically the same thing as "CAfile".

To keep things simple for users, I think it would be best for Nginx to
keep expecting to find the intermediate CA certs at the end of the
ssl_certificate file (rather than require users to put them in the
ssl_trusted_certificate file under certain circumstances). But I agree
with using the "trusted certificates store" under the hood. The
following approach seems to work:

#if OPENSSL_VERSION_NUMBER >= 0x10002000L
// OpenSSL 1.0.2 lets us do this properly
Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
#else
If (number of ssl_certificate directives > 1)
// Put this intermediate in the "trusted certificates store"
Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
Else
// This is what Nginx does currently
Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
End If
#endif

(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate
not found" from the stapling code in both cases where I don't call
SSL_CTX_add_extra_chain_cert() - another thing to look into!)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel