Hello! On Sun, Mar 01, 2015 at 07:05:43AM -0500, shumisha wrote:
> Hi > I'm facing this problem as well, though in a different context: OCSP > stapling. Everything looks good without OCSP stapling: my ssl_certificate > file contain my domain (wildcard) cert from AlphaSSL, that doesn't require > any intermediate cert, so the domain cert is the only one in that file. > > However to enable OCSP stapling, I have to specify the full cert chain in > ssl_trusted_certificate. I do this by including first GlobalSign root, then > alpha SSL intermediate. This works fine, and OCSP stapling is operating > normally. > > But as a side effect, now clients also receives the full chain of > certificates. I think, from your response above, that openssl auto chain > building is responsible for that (you also made the same reply in > http://forum.nginx.org/read.php?2,248153,248168#msg-248168) > > 1 - You say: "It shouldn't happen as long as there is at least one > intermediate cert in ssl_certificate file". That's precisely what I want to > avoid, include the while chain in the ssl_certificate file. Only adding > alphassl intermediate cert in ssl_certificate (ie NO adding GlobalSign root > cert) results in an error #20) > > 2 - Googling a bit more, and totally shooting in the dark here, I also found > that Openssl has an SSL_MODE_NO_AUTO_CHAIN flag that "...Allow an > application to disable the automatic SSL chain building....". Isn't it > something you could use to disable the auto chain building? (originated from > http://t93518.encryption-openssl-development.encryptiontalk.info/ssl-server-root-certs-and-client-auth-t93518.html > I think) > > Thanks for any input anyway! Thanks, this looks like correct flag to use. Try the following patch: --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -277,6 +277,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); #endif +#ifdef SSL_MODE_NO_AUTO_CHAIN + SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); +#endif + SSL_CTX_set_read_ahead(ssl->ctx, 1); SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
