Hello! On Wed, May 18, 2022 at 02:28:28PM +0200, Vedran Vidovic wrote:
> We would like to be able to configure the mutual TLS client > authentication by: > - adding intermediate CA certificates > - without adding the root CA certificate for each intermediate > certificate > > If we add CA as a trusted issuer, we shouldn't need to add its issuer > to > the truststore (ssl_client_certificate). > > I propose a backward compatible solution to add a new configuration > option ssl_verify_partial_chain that can be turned on if the behaviour > described above is desired. This option enables the openssl library > partial_chain verification. (First of all, just to make sure it's understood and this isn't something you are trying to do. Note that if one want to limit access, it might be a good idea to use some actual authorization checks in additional to PKI, which essentially provides authentication. Using narrow trust as a poor man's authorization checks is not the way to go.) After reading https://github.com/openssl/openssl/issues/7871 I tend to think that a better solution might be to explicitly configure trust on the certificates if such configuration is needed. Something like: $ openssl x509 -in cert.pem -out trust.pem -trustout -addtrust anyExtendedKeyUsage will do the trick. For ssl_trusted_certificate / proxy_ssl_trusted_certificate this works out of the box (seems to work at least since OpenSSL 1.0.2, the same version where X509_V_FLAG_PARTIAL_CHAIN was introduced). For ssl_client_certificate it needs some additional cert in the file to work, as SSL_load_client_CA_file() is not able to parse certificates with trust data. (And such certificates won't be advertized during SSL handshakes.) Not sure if it's practical problem, but if it is, it should be possible to adjust SSL_load_client_CA_file() and/or switch to a different way to create the CA list for SSL_CTX_set_client_CA_list(). [...] > @@ -874,6 +874,25 @@ > > SSL_CTX_set_verify_depth(ssl->ctx, depth); > > + if (partial_chain == 1) { > + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();; > + if (param) { > + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN); > + if (SSL_CTX_set1_param(ssl->ctx, param) == 0) { Just in case, setting flags via X509_STORE_set_flags(), much like ngx_ssl_crl() does, should be much easier. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list -- nginx-devel@nginx.org To unsubscribe send an email to nginx-devel-le...@nginx.org
