Hello! On Sat, Oct 19, 2013 at 12:06:57AM +0100, Rob Stradling wrote:
> On 17/10/13 23:00, Piotr Sikora wrote: > >Hey, > > > >>I would rather see ssl_certificates to be used this way, something > >>like: > >> > >> ssl_certificate rsa.crt; > >> ssl_certificate_key rsa.key; > >> > >> ssl_certificate ecc.crt; > >> ssl_certificate_key ecc.key; > > > >Yeah, I'm in favor of that syntax as well. > > > >>AFAIR, OpenSSL only able to store one certificate chain per > >>SSL_CTX, which is the root cause of the problem. > > > >That's solved in OpenSSL-1.0.2 (unreleased). > > Thanks Piotr. I tried building Nginx with my v2 patch against > OpenSSL_1_0_2, but I didn't see any change in behaviour. i.e. With > an RSA cert and an ECC cert issued by different CAs, Nginx sends the > intermediate certs from both chains in both cases. > > Nginx uses SSL_CTX_add_extra_chain_cert(), and I think that might be > the problem. That function's 1_0_2 man page says "Different chains > for different certificates (for example if both RSA and DSA > certificates are specified by the same server) or different SSL > structures with the same parent SSL_CTX cannot be specified using > this function. For more flexibility functions such as > SSL_add1_chain_cert() should be used instead." > > I'll investigate more next week. The SSL_add1_chain_cert() function documentation says: : These functions were first added to OpenSSL 1.0.2. That is, they aren't yet available. > >For now, the one thing we could do is to let OpenSSL build certificate > >chains from the trusted certificates store... In order to do that, all > >we need to do is to load only the first certificate in the file (i.e. > >don't load intermediate certificates) in case there are multiple > >certificates defined. This way, OpenSSL will try to build the > >certificate chain automatically (unfortunately, it will do that on the > >fly for each connection, so it's a noticeable overhead). > > Yes, but (assuming "...from the trusted certificates store" would do > syscalls and disk access for every connection) hasn't Maxim already > said that that overhead would be unacceptable? This would be bad for sure, but the message you've referenced says about CApath vs. CAfile. We have the ssl_trusted_certificate directive which loads certs to the trusted certificates store. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel