Hello! On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote:
> On 19/10/13 11:14, Maxim Dounin wrote: > <snip> > >>I'll investigate more next week. > > > >The SSL_add1_chain_cert() function documentation says: > > > >: These functions were first added to OpenSSL 1.0.2. > > > >That is, they aren't yet available. > > True. FWIW, changing "SSL_CTX_add_extra_chain_cert" to > "SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling > against OpenSSL_1_0_2 does give the desired behaviour though. > > >>>For now, the one thing we could do is to let OpenSSL build certificate > >>>chains from the trusted certificates store... In order to do that, all > >>>we need to do is to load only the first certificate in the file (i.e. > >>>don't load intermediate certificates) in case there are multiple > >>>certificates defined. This way, OpenSSL will try to build the > >>>certificate chain automatically (unfortunately, it will do that on the > >>>fly for each connection, so it's a noticeable overhead). > >> > >>Yes, but (assuming "...from the trusted certificates store" would do > >>syscalls and disk access for every connection) hasn't Maxim already > >>said that that overhead would be unacceptable? > > > >This would be bad for sure, but the message you've referenced says > >about CApath vs. CAfile. We have the ssl_trusted_certificate > >directive which loads certs to the trusted certificates store. > > Ah, I see. It's just "CApath" that you want to avoid, and > ssl_trusted_certificate is basically the same thing as "CAfile". > > To keep things simple for users, I think it would be best for Nginx > to keep expecting to find the intermediate CA certs at the end of > the ssl_certificate file (rather than require users to put them in > the ssl_trusted_certificate file under certain circumstances). But > I agree with using the "trusted certificates store" under the hood. > The following approach seems to work: > > #if OPENSSL_VERSION_NUMBER >= 0x10002000L > // OpenSSL 1.0.2 lets us do this properly > Call SSL_CTX_add1_chain_cert(ssl->ctx, x509) > #else > If (number of ssl_certificate directives > 1) > // Put this intermediate in the "trusted certificates store" > Call X509_STORE_add_cert(ssl->ctx->cert_store, x509) > Else > // This is what Nginx does currently > Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) > End If > #endif An unwanted side effect would be that this will allow client certificate authentication to use certs from a server's certificate chain. Probably not something we want to happen. > (A side effect is that I'm seeing "OCSP_basic_verify:signer > certificate not found" from the stapling code in both cases where I > don't call SSL_CTX_add_extra_chain_cert() - another thing to look > into!) OCSP Stapling code uses certificate chain as available via SSL_CTX_get_extra_chain_certs() to look for issuer cert, see ngx_ssl_stapling_issuer(). Though certs from a trusted store should be used too. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
