Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
October 22, 2013 08:10AM
Hello!

On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote:

> On 19/10/13 11:14, Maxim Dounin wrote:
> <snip>
> >>I'll investigate more next week.
> >
> >The SSL_add1_chain_cert() function documentation says:
> >
> >: These functions were first added to OpenSSL 1.0.2.
> >
> >That is, they aren't yet available.
>
> True. FWIW, changing "SSL_CTX_add_extra_chain_cert" to
> "SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling
> against OpenSSL_1_0_2 does give the desired behaviour though.
>
> >>>For now, the one thing we could do is to let OpenSSL build certificate
> >>>chains from the trusted certificates store... In order to do that, all
> >>>we need to do is to load only the first certificate in the file (i.e.
> >>>don't load intermediate certificates) in case there are multiple
> >>>certificates defined. This way, OpenSSL will try to build the
> >>>certificate chain automatically (unfortunately, it will do that on the
> >>>fly for each connection, so it's a noticeable overhead).
> >>
> >>Yes, but (assuming "...from the trusted certificates store" would do
> >>syscalls and disk access for every connection) hasn't Maxim already
> >>said that that overhead would be unacceptable?
> >
> >This would be bad for sure, but the message you've referenced says
> >about CApath vs. CAfile. We have the ssl_trusted_certificate
> >directive which loads certs to the trusted certificates store.
>
> Ah, I see. It's just "CApath" that you want to avoid, and
> ssl_trusted_certificate is basically the same thing as "CAfile".
>
> To keep things simple for users, I think it would be best for Nginx
> to keep expecting to find the intermediate CA certs at the end of
> the ssl_certificate file (rather than require users to put them in
> the ssl_trusted_certificate file under certain circumstances). But
> I agree with using the "trusted certificates store" under the hood.
> The following approach seems to work:
>
> #if OPENSSL_VERSION_NUMBER >= 0x10002000L
> // OpenSSL 1.0.2 lets us do this properly
> Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
> #else
> If (number of ssl_certificate directives > 1)
> // Put this intermediate in the "trusted certificates store"
> Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
> Else
> // This is what Nginx does currently
> Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
> End If
> #endif

An unwanted side effect would be that this will allow client
certificate authentication to use certs from a server's
certificate chain. Probably not something we want to happen.

> (A side effect is that I'm seeing "OCSP_basic_verify:signer
> certificate not found" from the stapling code in both cases where I
> don't call SSL_CTX_add_extra_chain_cert() - another thing to look
> into!)

OCSP Stapling code uses certificate chain as available via
SSL_CTX_get_extra_chain_certs() to look for issuer cert, see
ngx_ssl_stapling_issuer(). Though certs from a trusted store
should be used too.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 430 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 655 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 403 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 50
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready