Multiple Cert support ...

Filipe DA SILVA fdasilva at ingima.com
Thu Apr 16 10:09:48 UTC 2015 

Hi, Maxim.

I forget about this feature, even if it is mentioned in the patch.
The cert chain declared by ssl_certificate/SSL_CTX_extra_chain is sent to the client.
But not the list  provided by ssl_trusted_certificate.

The patch calls to the SSL_CTX_add0_chain_cert now when available.

Regards,
Filipe

-----Message d'origine-----
De : nginx-devel-bounces at nginx.org [mailto:nginx-devel-bounces at nginx.org] De la part de Maxim Dounin
Envoyé : mardi 14 avril 2015 19:47
À : nginx-devel at nginx.org
Objet : Re: RE : Multiple Cert support ...

Hello!

On Tue, Apr 14, 2015 at 05:11:17PM +0000, Filipe DA SILVA wrote:

[...]

> >But we don't need to support multiple certs with versions before 
> >OpenSSL 1.0.2.  Just an appropriate error if user tries to configure 
> >this would be enough.
> >
> >(Just in case, there are two basic problems in older versions: 
> > no way to specify a chain for each certificate,
> 
> AFAIK, it's still not possible to separate its.
> Internally, the code is rebuilding a trust chain on each verification .
> See it when I wrote and debug a patch about client-verification using delegated CRL.

The question isn't about trust chains used during client certificate verification, but about chains sent to a client during the SSL handshake.  In OpenSSL 1.0.2 there is an extra chain for each algorithm-specific certificate:

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limiation in previous versions of OpenSSL.
     [Steve Henson]

See this commits for details:

https://github.com/openssl/openssl/commit/f71c6e52f769af0d2d40ed7e1dcb4fff837837a0
https://github.com/openssl/openssl/commit/a4339ea3ba045b7da038148f0d48ce25f2996971

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

More information about the nginx-devel mailing list