Rob Stradling rob.stradling at comodo.com
Mon Oct 21 21:40:43 UTC 2013

On 19/10/13 11:14, Maxim Dounin wrote:
>> I'll investigate more next week.
> The SSL_add1_chain_cert() function documentation says:
> : These functions were first added to OpenSSL 1.0.2.
> That is, they aren't yet available.

True.  FWIW, changing "SSL_CTX_add_extra_chain_cert" to 
"SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling against 
OpenSSL_1_0_2 does give the desired behaviour though.

>>> For now, the one thing we could do is to let OpenSSL build certificate
>>> chains from the trusted certificates store... In order to do that, all
>>> we need to do is to load only the first certificate in the file (i.e.
>>> don't load intermediate certificates) in case there are multiple
>>> certificates defined. This way, OpenSSL will try to build the
>>> certificate chain automatically (unfortunately, it will do that on the
>>> fly for each connection, so it's a noticeable overhead).
>> Yes, but (assuming "...from the trusted certificates store" would do
>> syscalls and disk access for every connection) hasn't Maxim already
>> said that that overhead would be unacceptable?
> This would be bad for sure, but the message you've referenced says
> about CApath vs. CAfile.  We have the ssl_trusted_certificate
> directive which loads certs to the trusted certificates store.

Ah, I see.  It's just "CApath" that you want to avoid, and 
ssl_trusted_certificate is basically the same thing as "CAfile".

To keep things simple for users, I think it would be best for Nginx to 
keep expecting to find the intermediate CA certs at the end of the 
ssl_certificate file (rather than require users to put them in the 
ssl_trusted_certificate file under certain circumstances).  But I agree 
with using the "trusted certificates store" under the hood.  The 
following approach seems to work:

     // OpenSSL 1.0.2 lets us do this properly
     Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
     If (number of ssl_certificate directives > 1)
         // Put this intermediate in the "trusted certificates store"
         Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
         // This is what Nginx does currently
         Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
     End If

(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate 
not found" from the stapling code in both cases where I don't call 
SSL_CTX_add_extra_chain_cert() - another thing to look into!)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the nginx-devel mailing list