Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
October 22, 2013 08:26PM
Hello!

On Tue, Oct 22, 2013 at 02:31:01PM +0100, Rob Stradling wrote:

> On 22/10/13 13:09, Maxim Dounin wrote:
> >Hello!
> >
> >On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote:
> <snip>
> >>The following approach seems to work:
> >>
> >>#if OPENSSL_VERSION_NUMBER >= 0x10002000L
> >> // OpenSSL 1.0.2 lets us do this properly
> >> Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
> >>#else
> >> If (number of ssl_certificate directives > 1)
> >> // Put this intermediate in the "trusted certificates store"
> >> Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
> >> Else
> >> // This is what Nginx does currently
> >> Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
> >> End If
> >>#endif
> >
> >An unwanted side effect would be that this will allow client
> >certificate authentication to use certs from a server's
> >certificate chain. Probably not something we want to happen.
>
> Yes, that's a potentially unwanted side effect. But unfortunately,
> AFAICT, putting the intermediates into the "trusted certificates
> store" is the only way to implement this feature with OpenSSL
> <1.0.2.
>
> Could you live with this side effect if the user had to explicitly
> enable it? Like this...

I think this should be left up to a user. That is, if user want
us to work this way, he can use the ssl_trusted_certificate directive
to supply needed certs.

[...]

> >>(A side effect is that I'm seeing "OCSP_basic_verify:signer
> >>certificate not found" from the stapling code in both cases where I
> >>don't call SSL_CTX_add_extra_chain_cert() - another thing to look
> >>into!)
> >
> >OCSP Stapling code uses certificate chain as available via
> >SSL_CTX_get_extra_chain_certs() to look for issuer cert, see
> >ngx_ssl_stapling_issuer().
>
> Yep, I'd found that.
>
> >Though certs from a trusted store should be used too.
>
> ngx_event_openssl_stapling.c provides OCSP_basic_verify() with 3
> places to look for certs: inside the OCSP Response, the
> extra_chain_certs and the "trusted certificate store".
>
> OCSP_basic_verify() calls ocsp_find_signer() to locate the
> certificate that signed the OCSP Response, but this function only
> looks in the first 2 of those 3 places. (There's a comment "/*
> Maybe lookup from store if by subject name */", but no associated
> code).

Err, sorry, I've somehow misread you mail and tought you are
talking about "issuer certificate not found" errors. The
OCSP_basic_verify() indeed will likely require additional fixes
and/or workarounds.

> This is a problem for OCSP Responses that are signed directly by the
> CA certificate (rather than by a delegated OCSP Response Signing
> Certificate). It currently works because that CA certificate is
> almost certainly present in extra_chain_certs. But, to support
> RSA+DSA+ECC certs signed by different intermediates, we already
> established that we can't use extra_chain_certs.
>
> To workaround this, I think the only option would be to pass to
> OCSP_basic_verify() a different STACK_OF(X509) that includes all of
> the extra_chain_certs plus whatever other CA certificates that Nginx
> can lay its hands on!

Given the number of problems, it might be easier to assume the
chains must be the same. How it looks from a CA point of view?

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 430 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 424 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 655 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 403 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 49
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready