[PATCH] SSL: Added crl_check_mode

Maxim Dounin mdounin at mdounin.ru
Wed Apr 5 15:31:07 UTC 2017


On Wed, Apr 05, 2017 at 12:12:06PM +0000, Elliot Thomas wrote:

> Hello,
> We have our own independent CA hierarchy, complete with client
> certificates for servers and staff. When a server (or staff member) is
> repurposed or decommissioned, we need to be able to revoke their
> certificate - we do this by maintaining sets of CRLs.
> Unfortunately, due to flaws in this hierarchy, getting a complete CRL
> chain for each CA we have is difficult. This means client certs we would
> consider valid are rejected as Nginx sets 'X509_V_FLAG_CRL_CHECK_ALL' on
> the X509 store when the 'ssl_crl' directive is used. In the Apache world
> we get around this by using the 'SSLCARevocationCheck leaf' option.
> It would be nice to be able to control this flag, if only to work around
> broken CRL chains.
> I've noticed a variant of this problem has been discussed before (see trac
> issue #1094 and "[PATCH] SSL: Added crl_check_mode", March 2017) and a
> patch submitted. Before I knew of this, I wrote my own, roughly equivalent
> patch (see attached). I haven't explicitly tested the stream or mail
> changes, but the test suite does pass with these modules+ssl enabled.
> Is there any possibility of having one of these patches incorporated?

Unlikely.  You may have better luck cleaning up your CA hierarchy.

Maxim Dounin

More information about the nginx-devel mailing list