Welcome! Log In Create A New Profile

Advanced

Re: ssl_verify_partial_chain

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 20, 2022 09:50PM
Hello!

On Fri, May 20, 2022 at 04:02:08PM +0200, Vedran Vidovic wrote:

> Hello,
>
> thanks for the extensive answer.
>
> I will try to pursue a solution similar to your suggestion:
> - convert intermediate CA certificate to trusted certificate
> - validate client certificate using trusted certificate
>
> I still believe that addition of the new configuration option
> "ssl_verify_partial_chain" would benefit nginx because if
> we configure it using the "ssl_trusted_certificate" it doesn't
> send a list of allowed CAs to the client. We just can't cover
> the case when we want to send a list of allowed issuers
> (without their root certs) without changes to nginx.

Sure, it could be beneficial to provide proper list of allowed
certificate authorities during the SSL handshake. But, as already
suggested, it should be possible to solve this without introducing
additional options. Further, given the comments in the OpenSSL
ticket, it might be something to address on the OpenSSL side if
OpenSSL team is willing to simplify providing explicit trust
information.

> In my view, if I configure a certificate I1 as a trusted issuer, I should not be enforced
> to add its issuer to list of trusted certificates. I would like to tell my server to trust all
> certificates issued by certificate I1 (and not by it's root issuer). Similar functionality
> is available in some other products I used and it seems natural to me but people
> with different background can (of course) disagree.

I agree that this approach is more natural and easier to
understand than OpenSSL's default (and the only available till
OpenSSL 1.0.2) "we have to build a chain up to a self-signed root
CA" approach.

(Further, one of the practical use cases for this might be
checking OCSP responses in OCSP Stapling, which are expected to be
signed by the certificate issuer, so no additional certificates
should be required for the OCSP response verification, which is
not currently the case, see
http://nginx.org/r/ssl_stapling_verify.)

What I don't like is the idea of introducing additional
verification options, which will further complicate things.

We might actually consider enabling X509_V_FLAG_PARTIAL_CHAIN by
default if available, though this might be something to carefully
consider to ensure there will be no unwanted side-effects.

[...]

> Use Case 2 for such an approach (a real use case):
> On a more practical note, we need to trust all certs issued by any of the
> issuer certs from the EU trusted certificates list site and root certs are
> not published there.

Interesting, thanks for the details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Reply Quote
RSS
Subject Author Views Posted

ssl_verify_partial_chain

Vedran Vidovic 417 May 18, 2022 08:30AM

Re: ssl_verify_partial_chain

Maxim Dounin 229 May 18, 2022 10:26PM

Re: ssl_verify_partial_chain

Vedran Vidovic 95 May 20, 2022 09:58AM

Re: ssl_verify_partial_chain

Vedran Vidovic 84 May 20, 2022 10:04AM

Re: ssl_verify_partial_chain

Maxim Dounin 119 May 20, 2022 09:50PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 258
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready