[PATCH] SSL: Added crl_check_mode

Elliot Thomas Elliot.Thomas at bbc.co.uk
Wed Apr 5 12:12:06 UTC 2017


We have our own independent CA hierarchy, complete with client
certificates for servers and staff. When a server (or staff member) is
repurposed or decommissioned, we need to be able to revoke their
certificate - we do this by maintaining sets of CRLs.

Unfortunately, due to flaws in this hierarchy, getting a complete CRL
chain for each CA we have is difficult. This means client certs we would
consider valid are rejected as Nginx sets 'X509_V_FLAG_CRL_CHECK_ALL' on
the X509 store when the 'ssl_crl' directive is used. In the Apache world
we get around this by using the 'SSLCARevocationCheck leaf' option.

It would be nice to be able to control this flag, if only to work around
broken CRL chains.

I've noticed a variant of this problem has been discussed before (see trac
issue #1094 and "[PATCH] SSL: Added crl_check_mode", March 2017) and a
patch submitted. Before I knew of this, I wrote my own, roughly equivalent
patch (see attached). I haven't explicitly tested the stream or mail
changes, but the test suite does pass with these modules+ssl enabled.

Is there any possibility of having one of these patches incorporated?

Thanks, Elliot.

This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: changeset.txt
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170405/b5e61e11/attachment.txt>

More information about the nginx-devel mailing list