Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin
October 23, 2013 08:28PM
Hello!

On Wed, Oct 23, 2013 at 02:48:38PM -0700, Piotr Sikora wrote:

> Hey,
>
> > Just drop the backwards-compatibility and require OpenSSL 1.0.2 or
> > later for that feature, just like a particular version of OpenSSL is
> > needed for TLS-SNI.
>
> I kind of agree with that.
>
> While OpenSSL-1.0.2 is still unreleased, it seems that all options for
> existing releases are a bit hacky, to say at least... The trusted
> certificate store sounds like the only way to do it right now, but it
> effectively makes SSL client verification useless and creates a
> security issue.
>
> What do you think, Maxim?

I strongly disagree with automatic adding certificates from a
certificate chain to a trusted store, it's just not an option.
Otherwise, I don't think that use of a trusted certificate store is
a major problem.

The same problem is already here if one want to use OCSP Stapling
and verify signatures (and one probably want to, given the fact
that an incorrect OCSP Staple can be easily used to DoS a server
if a client follows RFC6066, and e.g. Firefox folks seems to try
to do so and fail a connection on an incorrect OCSP Staple, see
http://trac.nginx.org/nginx/ticket/425). And the same happens if
a complex PKI is used, and only some users should be allowed to
login.

In a long term I think that our client verification code should be
complemented by some access control functionality (as of now, one
can use rewrite module for checks, and some do use them anyway,
but it's not very convenient).

As for multiple certs per se, I don't think it should be limited
to recent OpenSSL versions only. As far as I can tell, current
versions of OpenSSL will work just fine (well, mostly) as long as
both ECDSA and RSA certs use the same certificate chain. I
believe at least some CAs issue ECDSA certs this way, and this
should work.

Limiting support for multiple certs with separate certificate
chains to only recent OpenSSL versions seems reasonable for me,
but if Rob wants to try to make it work with older versions - I
don't really object. If it won't be too hacky it might worth
supporting.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] RSA+DSA+ECC bundles

Rob Stradling 1254 October 17, 2013 10:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 436 October 17, 2013 11:20AM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 430 October 17, 2013 06:02PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 396 October 18, 2013 07:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 483 October 19, 2013 06:16AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 466 October 21, 2013 05:42PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 424 October 22, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 364 October 22, 2013 09:32AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 432 October 22, 2013 08:26PM

Re: [PATCH] RSA+DSA+ECC bundles

W-Mark Kubacki 458 October 23, 2013 01:08PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 390 October 23, 2013 03:14PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 428 October 23, 2013 05:50PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 419 October 23, 2013 08:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 397 October 31, 2013 05:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 655 October 31, 2013 06:00PM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 414 November 01, 2013 06:48AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 389 November 01, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Maxim Dounin 475 November 01, 2013 10:26AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 403 October 23, 2013 02:28PM

Re: [PATCH] RSA+DSA+ECC bundles

Piotr Sikora 441 October 23, 2013 05:56PM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 523 October 24, 2013 08:10AM

Re: [PATCH] RSA+DSA+ECC bundles

Rob Stradling 428 October 18, 2013 06:52PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready