Adding an option to only perform CRL checks for leaf nodes
njh at aelius.com
Thu Apr 27 15:18:30 UTC 2017
I was having trouble getting CRL checks working for client certificates
and it turns out that the problem is because nginx checks CRLs for all
levels of the certificate hierarchy, but the CA I am using does not
publish CRLs for intermediate certificates.
It is not uncommon for the private key of the root CA certificate to be
locked-away offline in a safe, to prevent any other intermediate
certificates from being issued. However this means that CRLs cannot be
generated for the intermediate certificates, only the leaf certificates.
Hence only the leaf certificates can be CRL checked.
The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK in
OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.
Would you accept a patch that adds a new configuration option to nginx
to control this?
I was thinking the option might look like:
ssl_crl_check leaf; # Only check if leaf certificates have been
ssl_crl_check all; # Check the whole chain for revoked certificates
The default behaviour would continue to be to check the whole chain.
More information about the nginx-devel