Adding an option to only perform CRL checks for leaf nodes

Jyrno Ader jyrno42 at gmail.com
Thu Apr 27 15:32:10 UTC 2017


Seems to me that the current stance is that this won't be added. See

- http://mailman.nginx.org/pipermail/nginx-devel/2017-March/009599.html
- http://mailman.nginx.org/pipermail/nginx-devel/2017-April/009784.html


Lugupidamisega,
Jürno Ader

2017-04-27 18:18 GMT+03:00 Nicholas Humfrey <njh at aelius.com>:

> Hi,
>
> I was having trouble getting CRL checks working for client certificates
> and it turns out that the problem is because nginx checks CRLs for all
> levels of the certificate hierarchy, but the CA I am using does not publish
> CRLs for intermediate certificates.
>
> It is not uncommon for the private key of the root CA certificate to be
> locked-away offline in a safe, to prevent any other intermediate
> certificates from being issued. However this means that CRLs cannot be
> generated for the intermediate certificates, only the leaf certificates.
> Hence only the leaf certificates can be CRL checked.
>
> The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK in
> OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.
>
> Would you accept a patch that adds a new configuration option to nginx to
> control this?
>
>
> I was thinking the option might look like:
>
>   ssl_crl_check leaf;   # Only check if leaf certificates have been revoked
>   ssl_crl_check all;    # Check the whole chain for revoked certificates
>
> The default behaviour would continue to be to check the whole chain.
>
>
> Thanks,
>
> nick.
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170427/e81f089f/attachment.html>


More information about the nginx-devel mailing list