Hello! On Fri, May 20, 2022 at 04:02:08PM +0200, Vedran Vidovic wrote:
> Hello, > > thanks for the extensive answer. > > I will try to pursue a solution similar to your suggestion: > - convert intermediate CA certificate to trusted certificate > - validate client certificate using trusted certificate > > I still believe that addition of the new configuration option > "ssl_verify_partial_chain" would benefit nginx because if > we configure it using the "ssl_trusted_certificate" it doesn't > send a list of allowed CAs to the client. We just can't cover > the case when we want to send a list of allowed issuers > (without their root certs) without changes to nginx. Sure, it could be beneficial to provide proper list of allowed certificate authorities during the SSL handshake. But, as already suggested, it should be possible to solve this without introducing additional options. Further, given the comments in the OpenSSL ticket, it might be something to address on the OpenSSL side if OpenSSL team is willing to simplify providing explicit trust information. > In my view, if I configure a certificate I1 as a trusted issuer, I should not > be enforced > to add its issuer to list of trusted certificates. I would like to tell my > server to trust all > certificates issued by certificate I1 (and not by it's root issuer). Similar > functionality > is available in some other products I used and it seems natural to me but > people > with different background can (of course) disagree. I agree that this approach is more natural and easier to understand than OpenSSL's default (and the only available till OpenSSL 1.0.2) "we have to build a chain up to a self-signed root CA" approach. (Further, one of the practical use cases for this might be checking OCSP responses in OCSP Stapling, which are expected to be signed by the certificate issuer, so no additional certificates should be required for the OCSP response verification, which is not currently the case, see http://nginx.org/r/ssl_stapling_verify.) What I don't like is the idea of introducing additional verification options, which will further complicate things. We might actually consider enabling X509_V_FLAG_PARTIAL_CHAIN by default if available, though this might be something to carefully consider to ensure there will be no unwanted side-effects. [...] > Use Case 2 for such an approach (a real use case): > On a more practical note, we need to trust all certs issued by any of the > issuer certs from the EU trusted certificates list site and root certs are > not published there. Interesting, thanks for the details. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list -- nginx-devel@nginx.org To unsubscribe send an email to nginx-devel-le...@nginx.org
