Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] fix/unify access to SSL_CTX certificate chains

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 13, 2019 08:32AM
Hello!

On Mon, May 13, 2019 at 08:16:13AM +0200, Elias Ohm via nginx-devel wrote:

> src/event/ngx_event_openssl_stapling.c | 10 ++++++++--
> 1 files changed, 8 insertions(+), 2 deletions(-)
>
>
> # HG changeset patch
> # User Elias Ohm <eohm@novomind.com>
> # Date 1557697215 -7200
> # Sun May 12 23:40:15 2019 +0200
> # Node ID 6c1d44aa7054fb130ece5432119d04971b586795
> # Parent 16a1adadf43751f59257ba419f6bacd530dd19d3
> fix/unify access to SSL_CTX certificate chains
>
> for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is always global to the context.
>
> reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions).
> however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls back to read chain_certs when no extra_certs are available but breaks for some other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here.

You may want to be more specific here:

LibreSSL 2.9.1 introduced partial support for per-certificate
chains, yet failed to introduce appropriate changes in
SSL_CTX_get_extra_chain_certs(). Quoting documentation for
SSL_CTX_get_extra_chain_certs(), as recently added to OpenSSL[1]:

: SSL_CTX_get_extra_chain_certs() retrieves the extra chain
: certificates associated with ctx, or the chain associated with the
: current certificate of ctx if the extra chain is empty.

This behaviour was in OpenSSL since original introduction of
per-certificate chains in OpenSSL 1.0.2[2], so a code can safely
use SSL_CTX_get_extra_chain_certs() to get the best of the
available chains regardless of how certificate chains were set.
And this is what the code in question in nginx does - it uses
SSL_CTX_get_extra_chain_certs() to get the best of the available
chains.

While I generally like LibreSSL, this looks like a LibreSSL bug to
me. And instead of trying to fix working code in nginx, you may
want to focus on fixing SSL_CTX_get_extra_chain_certs() in
LibreSSL.

[1] https://github.com/openssl/openssl/commit/dc703d6b469f1b186483a55b59013fbaca2228fd
[2] https://github.com/openssl/openssl/commit/a51f767645c117667d337f77fe1dd9c0a66d8410

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] fix/unify access to SSL_CTX certificate chains

Elias Ohm via nginx-devel 604 May 13, 2019 02:18AM

Re: [PATCH] fix/unify access to SSL_CTX certificate chains

Maxim Dounin 402 May 13, 2019 08:32AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

miloscvj
Guests: 299
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready