Hello! On Tue, Oct 22, 2013 at 02:31:01PM +0100, Rob Stradling wrote:
> On 22/10/13 13:09, Maxim Dounin wrote: > >Hello! > > > >On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote: > <snip> > >>The following approach seems to work: > >> > >>#if OPENSSL_VERSION_NUMBER >= 0x10002000L > >> // OpenSSL 1.0.2 lets us do this properly > >> Call SSL_CTX_add1_chain_cert(ssl->ctx, x509) > >>#else > >> If (number of ssl_certificate directives > 1) > >> // Put this intermediate in the "trusted certificates store" > >> Call X509_STORE_add_cert(ssl->ctx->cert_store, x509) > >> Else > >> // This is what Nginx does currently > >> Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) > >> End If > >>#endif > > > >An unwanted side effect would be that this will allow client > >certificate authentication to use certs from a server's > >certificate chain. Probably not something we want to happen. > > Yes, that's a potentially unwanted side effect. But unfortunately, > AFAICT, putting the intermediates into the "trusted certificates > store" is the only way to implement this feature with OpenSSL > <1.0.2. > > Could you live with this side effect if the user had to explicitly > enable it? Like this... I think this should be left up to a user. That is, if user want us to work this way, he can use the ssl_trusted_certificate directive to supply needed certs. [...] > >>(A side effect is that I'm seeing "OCSP_basic_verify:signer > >>certificate not found" from the stapling code in both cases where I > >>don't call SSL_CTX_add_extra_chain_cert() - another thing to look > >>into!) > > > >OCSP Stapling code uses certificate chain as available via > >SSL_CTX_get_extra_chain_certs() to look for issuer cert, see > >ngx_ssl_stapling_issuer(). > > Yep, I'd found that. > > >Though certs from a trusted store should be used too. > > ngx_event_openssl_stapling.c provides OCSP_basic_verify() with 3 > places to look for certs: inside the OCSP Response, the > extra_chain_certs and the "trusted certificate store". > > OCSP_basic_verify() calls ocsp_find_signer() to locate the > certificate that signed the OCSP Response, but this function only > looks in the first 2 of those 3 places. (There's a comment "/* > Maybe lookup from store if by subject name */", but no associated > code). Err, sorry, I've somehow misread you mail and tought you are talking about "issuer certificate not found" errors. The OCSP_basic_verify() indeed will likely require additional fixes and/or workarounds. > This is a problem for OCSP Responses that are signed directly by the > CA certificate (rather than by a delegated OCSP Response Signing > Certificate). It currently works because that CA certificate is > almost certainly present in extra_chain_certs. But, to support > RSA+DSA+ECC certs signed by different intermediates, we already > established that we can't use extra_chain_certs. > > To workaround this, I think the only option would be to pass to > OCSP_basic_verify() a different STACK_OF(X509) that includes all of > the extra_chain_certs plus whatever other CA certificates that Nginx > can lay its hands on! Given the number of problems, it might be easier to assume the chains must be the same. How it looks from a CA point of view? -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
