Re: [PATCH] RSA+DSA+ECC bundles

Mon, 21 Oct 2013 14:41:33 -0700 

On 19/10/13 11:14, Maxim Dounin wrote:
<snip>

I'll investigate more next week.


The SSL_add1_chain_cert() function documentation says:

: These functions were first added to OpenSSL 1.0.2.

That is, they aren't yet available.



True.  FWIW, changing "SSL_CTX_add_extra_chain_cert" to 
"SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling against 
OpenSSL_1_0_2 does give the desired behaviour though.



For now, the one thing we could do is to let OpenSSL build certificate
chains from the trusted certificates store... In order to do that, all
we need to do is to load only the first certificate in the file (i.e.
don't load intermediate certificates) in case there are multiple
certificates defined. This way, OpenSSL will try to build the
certificate chain automatically (unfortunately, it will do that on the
fly for each connection, so it's a noticeable overhead).


Yes, but (assuming "...from the trusted certificates store" would do
syscalls and disk access for every connection) hasn't Maxim already
said that that overhead would be unacceptable?


This would be bad for sure, but the message you've referenced says
about CApath vs. CAfile.  We have the ssl_trusted_certificate
directive which loads certs to the trusted certificates store.



Ah, I see.  It's just "CApath" that you want to avoid, and 
ssl_trusted_certificate is basically the same thing as "CAfile".



To keep things simple for users, I think it would be best for Nginx to 
keep expecting to find the intermediate CA certs at the end of the 
ssl_certificate file (rather than require users to put them in the 
ssl_trusted_certificate file under certain circumstances).  But I agree 
with using the "trusted certificates store" under the hood.  The 
following approach seems to work:


#if OPENSSL_VERSION_NUMBER >= 0x10002000L
    // OpenSSL 1.0.2 lets us do this properly
    Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
#else
    If (number of ssl_certificate directives > 1)
        // Put this intermediate in the "trusted certificates store"
        Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
    Else
        // This is what Nginx does currently
        Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
    End If
#endif


(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate 
not found" from the stapling code in both cases where I don't call 
SSL_CTX_add_extra_chain_cert() - another thing to look into!)


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel






















					Reply via email to