Hello! On Thu, Feb 12, 2015 at 11:02:34AM +0100, Julian Simioni wrote:
> Hi all, > I have an Nginx 1.7.6 server serving HTTPS content, and I've been > tweaking the configuration lately to ensure it is secure and > performant[1]. > > One component of this is ensuring that the intermediate certificate from > my CA is sent along to any clients connecting to my server, to ensure > they don't have to fetch it from somewhere else and risk at best a > longer connection time, and at worst some sort of (unlikely) tampering. > > The traditional way to do this, as far as I'm aware, is to concatenate > any intermediate certs, as well as the actual certificate for your > domain, into one file, and then tell Nginx about it using the > ssl_client_certificate directive. This works great, but I wanted to see > if there was a way to keep the different certificates in different > files, just for clarity and ease of maintenance. I put the intermediate > cert in another file and told Nginx about it with the > ssl_trusted_certificate directive, and everything worked great! Both ssl_client_certificate and ssl_trusted_certificate will load certificates to the trusted store, and OpenSSL will use these certs to build the certificate chain at runtime if one wasn't explicitly provided. That is, it's a [mis]feature of the OpenSSL library which leads to such behaviour. While one can use this to construct certificate chains as of now, it's not a recommended approach because: - this consumes more CPU power, as the chain will be constructed at runtime; - this is not something we (at least I) consider to be a good feature, and if/when it will be possible to stop OpenSSL from doing this - we'll do so. > However, the docs[2] for ssl_trusted_certificate specifically state the > following: > > In contrast to the certificate set by ssl_client_certificate, the list > of these certificates will not be sent to clients. This note is not about certificate chain sent to the client, but about the _list_ of certificates sent to clients while requesting client certificates. See RFC5246, 7.4.4. Certificate Request, https://tools.ietf.org/html/rfc5246#section-7.4.4 - the list is sent in the certificate_authorities field of the Certificate Request message to let clients know which authorities are accepted by the server. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
