Adding an option to only perform CRL checks for leaf nodes

Nicholas Humfrey njh at
Thu Apr 27 15:18:30 UTC 2017


I was having trouble getting CRL checks working for client certificates 
and it turns out that the problem is because nginx checks CRLs for all 
levels of the certificate hierarchy, but the CA I am using does not 
publish CRLs for intermediate certificates.

It is not uncommon for the private key of the root CA certificate to be 
locked-away offline in a safe, to prevent any other intermediate 
certificates from being issued. However this means that CRLs cannot be 
generated for the intermediate certificates, only the leaf certificates. 
Hence only the leaf certificates can be CRL checked.

The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK in 
OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.

Would you accept a patch that adds a new configuration option to nginx 
to control this?

I was thinking the option might look like:

   ssl_crl_check leaf;   # Only check if leaf certificates have been 
   ssl_crl_check all;    # Check the whole chain for revoked certificates

The default behaviour would continue to be to check the whole chain.



More information about the nginx-devel mailing list