Welcome! Log In Create A New Profile

Advanced

Re: ssl_verify_partial_chain

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 18, 2022 10:26PM
Hello!

On Wed, May 18, 2022 at 02:28:28PM +0200, Vedran Vidovic wrote:

> We would like to be able to configure the mutual TLS client
> authentication by:
> - adding intermediate CA certificates
> - without adding the root CA certificate for each intermediate
> certificate
>
> If we add CA as a trusted issuer, we shouldn't need to add its issuer
> to
> the truststore (ssl_client_certificate).
>
> I propose a backward compatible solution to add a new configuration
> option ssl_verify_partial_chain that can be turned on if the behaviour
> described above is desired. This option enables the openssl library
> partial_chain verification.

(First of all, just to make sure it's understood and this isn't
something you are trying to do. Note that if one want to limit
access, it might be a good idea to use some actual authorization
checks in additional to PKI, which essentially provides
authentication. Using narrow trust as a poor man's authorization
checks is not the way to go.)

After reading https://github.com/openssl/openssl/issues/7871 I
tend to think that a better solution might be to explicitly
configure trust on the certificates if such configuration is
needed.

Something like:

$ openssl x509 -in cert.pem -out trust.pem -trustout -addtrust anyExtendedKeyUsage

will do the trick.

For ssl_trusted_certificate / proxy_ssl_trusted_certificate this
works out of the box (seems to work at least since OpenSSL 1.0.2,
the same version where X509_V_FLAG_PARTIAL_CHAIN was introduced).

For ssl_client_certificate it needs some additional cert in the
file to work, as SSL_load_client_CA_file() is not able to parse
certificates with trust data. (And such certificates won't be
advertized during SSL handshakes.) Not sure if it's practical
problem, but if it is, it should be possible to adjust
SSL_load_client_CA_file() and/or switch to a different way to
create the CA list for SSL_CTX_set_client_CA_list().

[...]

> @@ -874,6 +874,25 @@
>
> SSL_CTX_set_verify_depth(ssl->ctx, depth);
>
> + if (partial_chain == 1) {
> + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();;
> + if (param) {
> + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
> + if (SSL_CTX_set1_param(ssl->ctx, param) == 0) {

Just in case, setting flags via X509_STORE_set_flags(), much like
ngx_ssl_crl() does, should be much easier.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Reply Quote
RSS
Subject Author Views Posted

ssl_verify_partial_chain

Vedran Vidovic 411 May 18, 2022 08:30AM

Re: ssl_verify_partial_chain

Maxim Dounin 225 May 18, 2022 10:26PM

Re: ssl_verify_partial_chain

Vedran Vidovic 92 May 20, 2022 09:58AM

Re: ssl_verify_partial_chain

Vedran Vidovic 81 May 20, 2022 10:04AM

Re: ssl_verify_partial_chain

Maxim Dounin 115 May 20, 2022 09:50PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 161
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready