[PATCH] RSA+DSA+ECC bundles
rob.stradling at comodo.com
Mon Oct 21 21:40:43 UTC 2013
On 19/10/13 11:14, Maxim Dounin wrote:
>> I'll investigate more next week.
> The SSL_add1_chain_cert() function documentation says:
> : These functions were first added to OpenSSL 1.0.2.
> That is, they aren't yet available.
True. FWIW, changing "SSL_CTX_add_extra_chain_cert" to
"SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling against
OpenSSL_1_0_2 does give the desired behaviour though.
>>> For now, the one thing we could do is to let OpenSSL build certificate
>>> chains from the trusted certificates store... In order to do that, all
>>> we need to do is to load only the first certificate in the file (i.e.
>>> don't load intermediate certificates) in case there are multiple
>>> certificates defined. This way, OpenSSL will try to build the
>>> certificate chain automatically (unfortunately, it will do that on the
>>> fly for each connection, so it's a noticeable overhead).
>> Yes, but (assuming "...from the trusted certificates store" would do
>> syscalls and disk access for every connection) hasn't Maxim already
>> said that that overhead would be unacceptable?
> This would be bad for sure, but the message you've referenced says
> about CApath vs. CAfile. We have the ssl_trusted_certificate
> directive which loads certs to the trusted certificates store.
Ah, I see. It's just "CApath" that you want to avoid, and
ssl_trusted_certificate is basically the same thing as "CAfile".
To keep things simple for users, I think it would be best for Nginx to
keep expecting to find the intermediate CA certs at the end of the
ssl_certificate file (rather than require users to put them in the
ssl_trusted_certificate file under certain circumstances). But I agree
with using the "trusted certificates store" under the hood. The
following approach seems to work:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
// OpenSSL 1.0.2 lets us do this properly
Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
If (number of ssl_certificate directives > 1)
// Put this intermediate in the "trusted certificates store"
Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
// This is what Nginx does currently
Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate
not found" from the stapling code in both cases where I don't call
SSL_CTX_add_extra_chain_cert() - another thing to look into!)
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the nginx-devel