Hello! On Wed, Apr 05, 2017 at 12:12:06PM +0000, Elliot Thomas wrote:
> Hello, > > We have our own independent CA hierarchy, complete with client > certificates for servers and staff. When a server (or staff member) is > repurposed or decommissioned, we need to be able to revoke their > certificate - we do this by maintaining sets of CRLs. > > Unfortunately, due to flaws in this hierarchy, getting a complete CRL > chain for each CA we have is difficult. This means client certs we would > consider valid are rejected as Nginx sets 'X509_V_FLAG_CRL_CHECK_ALL' on > the X509 store when the 'ssl_crl' directive is used. In the Apache world > we get around this by using the 'SSLCARevocationCheck leaf' option. > > It would be nice to be able to control this flag, if only to work around > broken CRL chains. > > I've noticed a variant of this problem has been discussed before (see trac > issue #1094 and "[PATCH] SSL: Added crl_check_mode", March 2017) and a > patch submitted. Before I knew of this, I wrote my own, roughly equivalent > patch (see attached). I haven't explicitly tested the stream or mail > changes, but the test suite does pass with these modules+ssl enabled. > > Is there any possibility of having one of these patches incorporated? Unlikely. You may have better luck cleaning up your CA hierarchy. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
