Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling
October 23, 2013 02:28PM
On 23/10/13 01:25, Maxim Dounin wrote:
> On Tue, Oct 22, 2013 at 02:31:01PM +0100, Rob Stradling wrote:
<snip>
>> Yes, that's a potentially unwanted side effect. But unfortunately,
>> AFAICT, putting the intermediates into the "trusted certificates
>> store" is the only way to implement this feature with OpenSSL
>> <1.0.2.
>>
>> Could you live with this side effect if the user had to explicitly
>> enable it? Like this...
<snip>
> I think this should be left up to a user. That is, if user want
> us to work this way, he can use the ssl_trusted_certificate directive
> to supply needed certs.

OK.

When multiple certs are configured, OpenSSL <1.0.2 is being used, and
there are 1 or more Intermediate certs in the ssl_certificate files that
will therefore be ignored, I think it would be helpful to log a warning
(to inform the user that those certs have been ignored and would need to
be moved to the ssl_trusted_certificate file).

<snip>
>> OCSP_basic_verify() calls ocsp_find_signer() to locate the
>> certificate that signed the OCSP Response, but this function only
>> looks in the first 2 of those 3 places. (There's a comment "/*
>> Maybe lookup from store if by subject name */", but no associated
>> code).
>
> Err, sorry, I've somehow misread you mail and tought you are
> talking about "issuer certificate not found" errors. The
> OCSP_basic_verify() indeed will likely require additional fixes
> and/or workarounds.

Yep. I've made a start on attempting to change the stapling code to
support multiple certs. (Hopefully I'll be able to complete this!)

>> This is a problem for OCSP Responses that are signed directly by the
>> CA certificate (rather than by a delegated OCSP Response Signing
>> Certificate). It currently works because that CA certificate is
>> almost certainly present in extra_chain_certs. But, to support
>> RSA+DSA+ECC certs signed by different intermediates, we already
>> established that we can't use extra_chain_certs.
>>
>> To workaround this, I think the only option would be to pass to
>> OCSP_basic_verify() a different STACK_OF(X509) that includes all of
>> the extra_chain_certs plus whatever other CA certificates that Nginx
>> can lay its hands on!
>
> Given the number of problems, it might be easier to assume the
> chains must be the same.

I'm not ready to give up yet. :-)

> How it looks from a CA point of view?

We plan to issue RSA certs from an RSA CA, and ECC certs from an ECC CA.

AIUI, TLS <=1.1 requires ECC certs to be issued by an ECC CA, and RSA
certs to be issued by an RSA CA - see RFC4492 section 2. Only TLS 1.2
allows ECC certs to be issued by an RSA CA (and vice versa).

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 429 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 482 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 423 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 431 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 653 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 402 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 522 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 52
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready