Sergey Kandaurov
July 20, 2022 10:00AM
# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1658325446 -14400
# Wed Jul 20 17:57:26 2022 +0400
# Node ID 5a9cc2a846c9ea4c0af03109ab186af1ac28e222
# Parent 069a4813e8d6d7ec662d282a10f5f7062ebd817f
SSL: consistent certificate verification depth.

Originally, certificate verification depth was used to limit the number
of signatures to validate, that is, to limit chains with intermediate
certificates one less. The semantics was changed in OpenSSL 1.1.0, and
instead it limits now the number of intermediate certificates allowed.
This makes it not possible to limit certificate checking to self-signed
certificates with verify depth 0 in OpenSSL 1.1.0+, and is inconsistent
compared with former behaviour in BoringSSL and older OpenSSL versions.

This change restores former verification logic when using OpenSSL 1.1.0+.
The verify callback is adjusted to emit the "certificate chain too long"
error when the certificate chain exceeds the verification depth. It has
no effect to other SSL libraries, where this is limited by other means.
Also, this fixes verification checks when using LibreSSL 3.4.0+, where
a chain depth is not limited except by X509_VERIFY_MAX_CHAIN_CERTS (32).

diff -r 069a4813e8d6 -r 5a9cc2a846c9 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Jul 19 17:05:27 2022 +0300
+++ b/src/event/ngx_event_openssl.c Wed Jul 20 17:57:26 2022 +0400
@@ -997,16 +997,26 @@ ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *s
static int
ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
{
+ int depth, verify_depth;
+ ngx_ssl_conn_t *ssl_conn;
+
+ ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
+ SSL_get_ex_data_X509_STORE_CTX_idx());
+
+ depth = X509_STORE_CTX_get_error_depth(x509_store);
+ verify_depth = SSL_CTX_get_verify_depth(SSL_get_SSL_CTX(ssl_conn));
+
+ if (depth > verify_depth) {
+ X509_STORE_CTX_set_error(x509_store, X509_V_ERR_CERT_CHAIN_TOO_LONG);
+ }
+
#if (NGX_DEBUG)
+
+ int err;
char *subject, *issuer;
- int err, depth;
X509 *cert;
X509_NAME *sname, *iname;
ngx_connection_t *c;
- ngx_ssl_conn_t *ssl_conn;
-
- ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
- SSL_get_ex_data_X509_STORE_CTX_idx());

c = ngx_ssl_get_connection(ssl_conn);

@@ -1016,7 +1026,6 @@ ngx_ssl_verify_callback(int ok, X509_STO

cert = X509_STORE_CTX_get_current_cert(x509_store);
err = X509_STORE_CTX_get_error(x509_store);
- depth = X509_STORE_CTX_get_error_depth(x509_store);

sname = X509_get_subject_name(cert);

@@ -1058,6 +1067,7 @@ ngx_ssl_verify_callback(int ok, X509_STO
if (issuer) {
OPENSSL_free(issuer);
}
+
#endif

return 1;

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[PATCH] SSL: consistent certificate verification depth

Sergey Kandaurov 511 July 20, 2022 10:00AM

Re: [PATCH] SSL: consistent certificate verification depth

Maxim Dounin 136 July 20, 2022 02:06PM

Re: [PATCH] SSL: consistent certificate verification depth

Sergey Kandaurov 169 July 21, 2022 10:20AM

Re: [PATCH] SSL: consistent certificate verification depth

Maxim Dounin 179 July 23, 2022 05:54PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 167
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready