Hello! On Mon, May 13, 2019 at 08:16:13AM +0200, Elias Ohm via nginx-devel wrote:
> src/event/ngx_event_openssl_stapling.c | 10 ++++++++-- > 1 files changed, 8 insertions(+), 2 deletions(-) > > > # HG changeset patch > # User Elias Ohm <e...@novomind.com> > # Date 1557697215 -7200 > # Sun May 12 23:40:15 2019 +0200 > # Node ID 6c1d44aa7054fb130ece5432119d04971b586795 > # Parent 16a1adadf43751f59257ba419f6bacd530dd19d3 > fix/unify access to SSL_CTX certificate chains > > for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated > chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in > older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) > which is always global to the context. > > reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for > newer versions (if not directly from staple->ssl_ctx->extra_certs in older > versions). > however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls > back to read chain_certs when no extra_certs are available but breaks for > some other implementations where SSL_CTX_get_extra_chain_certs is implemented > as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition > this is inconsistent use of the functions and the functionality of trying > etxra certs and falling back to certifiactes chain is not needed here. You may want to be more specific here: LibreSSL 2.9.1 introduced partial support for per-certificate chains, yet failed to introduce appropriate changes in SSL_CTX_get_extra_chain_certs(). Quoting documentation for SSL_CTX_get_extra_chain_certs(), as recently added to OpenSSL[1]: : SSL_CTX_get_extra_chain_certs() retrieves the extra chain : certificates associated with ctx, or the chain associated with the : current certificate of ctx if the extra chain is empty. This behaviour was in OpenSSL since original introduction of per-certificate chains in OpenSSL 1.0.2[2], so a code can safely use SSL_CTX_get_extra_chain_certs() to get the best of the available chains regardless of how certificate chains were set. And this is what the code in question in nginx does - it uses SSL_CTX_get_extra_chain_certs() to get the best of the available chains. While I generally like LibreSSL, this looks like a LibreSSL bug to me. And instead of trying to fix working code in nginx, you may want to focus on fixing SSL_CTX_get_extra_chain_certs() in LibreSSL. [1] https://github.com/openssl/openssl/commit/dc703d6b469f1b186483a55b59013fbaca2228fd [2] https://github.com/openssl/openssl/commit/a51f767645c117667d337f77fe1dd9c0a66d8410 -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
