Hello,
thanks for the extensive answer.
I will try to pursue a solution similar to your suggestion:
- convert intermediate CA certificate to trusted certificate
- validate client certificate using trusted certificate
I still believe that addition of the new configuration option
"ssl_verify_partial_chain" would benefit nginx because if
we configure it using the "ssl_trusted_certificate" it doesn't
send a list of allowed CAs to the client. We just can't cover
the case when we want to send a list of allowed issuers
(without their root certs) without changes to nginx.
In my view, if I configure a certificate I1 as a trusted issuer, I should not be enforced
to add its issuer to list of trusted certificates. I would like to tell my server to trust all
certificates issued by certificate I1 (and not by it's root issuer). Similar functionality
is available in some other products I used and it seems natural to me but people
with different background can (of course) disagree.
---
Use Case 1 for such an approach:
For example, we could even have the following hierarchy of certificates:
- R (root CA)
- L0n (client leaf cert 00, 01,..)
- I1 (intermediate CA)
- L1n (client leaf cert 10, 11)
- I2 (intermediate CA)
- L2n (client leaf cert 20, 21,..)
We would want to trust certs issued by intermediate CA I1 but not trust
certs L0n or L2n.
Without the possibility to trust only the I1 and not the R we can't make sure
that someone won't call us with L0n certs.
---
Use Case 2 for such an approach (a real use case):
On a more practical note, we need to trust all certs issued by any of theissuer certs from the EU trusted certificates list site and root certs are
not published there.
Kind regards
Vedran Vidovic
Vedran Vidovic
----- Original message -----
From: "Maxim Dounin" <mdou...@mdounin.ru>
To: nginx-devel@nginx.org
Cc:
Subject: Re: ssl_verify_partial_chain
Date: Thu, May 19, 2022 4:25 AM
Hello!
On Wed, May 18, 2022 at 02:28:28PM +0200, Vedran Vidovic wrote:
> We would like to be able to configure the mutual TLS client
> authentication by:
> - adding intermediate CA certificates
> - without adding the root CA certificate for each intermediate
> certificate
>
> If we add CA as a trusted issuer, we shouldn't need to add its issuer
> to
> the truststore (ssl_client_certificate).
>
> I propose a backward compatible solution to add a new configuration
> option ssl_verify_partial_chain that can be turned on if the behaviour
> described above is desired. This option enables the openssl library
> partial_chain verification.
(First of all, just to make sure it's understood and this isn't
something you are trying to do. Note that if one want to limit
access, it might be a good idea to use some actual authorization
checks in additional to PKI, which essentially provides
authentication. Using narrow trust as a poor man's authorization
checks is not the way to go.)
After reading https://github.com/openssl/openssl/issues/7871 I
tend to think that a better solution might be to explicitly
configure trust on the certificates if such configuration is
needed.
Something like:
$ openssl x509 -in cert.pem -out trust.pem -trustout -addtrust anyExtendedKeyUsage
will do the trick.
For ssl_trusted_certificate / proxy_ssl_trusted_certificate this
works out of the box (seems to work at least since OpenSSL 1.0.2,
the same version where X509_V_FLAG_PARTIAL_CHAIN was introduced).
For ssl_client_certificate it needs some additional cert in the
file to work, as SSL_load_client_CA_file() is not able to parse
certificates with trust data. (And such certificates won't be
advertized during SSL handshakes.) Not sure if it's practical
problem, but if it is, it should be possible to adjust
SSL_load_client_CA_file() and/or switch to a different way to
create the CA list for SSL_CTX_set_client_CA_list().
[...]
> @@ -874,6 +874,25 @@
>
> SSL_CTX_set_verify_depth(ssl->ctx, depth);
>
> + if (partial_chain == 1) {
> + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();;
> + if (param) {
> + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
> + if (SSL_CTX_set1_param(ssl->ctx, param) == 0) {
Just in case, setting flags via X509_STORE_set_flags(), much like
ngx_ssl_crl() does, should be much easier.
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org
Odricanje od odgovornosti - disclaimer
_______________________________________________ nginx-devel mailing list -- nginx-devel@nginx.org To unsubscribe send an email to nginx-devel-le...@nginx.org
