Does ssl_trusted_certificate actually send certs to client?

Maxim Dounin mdounin at mdounin.ru
Mon Mar 2 14:51:02 UTC 2015 

Hello!

On Sun, Mar 01, 2015 at 07:05:43AM -0500, shumisha wrote:

> Hi
> I'm facing this problem as well, though in a different context: OCSP
> stapling. Everything looks good without OCSP stapling: my ssl_certificate
> file contain my domain (wildcard) cert from AlphaSSL, that doesn't require
> any intermediate cert, so the domain cert is the only one in that file.
> 
> However to enable OCSP stapling, I have to specify the full cert chain in
> ssl_trusted_certificate. I do this by including first GlobalSign root, then
> alpha SSL intermediate. This works fine, and OCSP stapling is operating
> normally.
> 
> But as a side effect, now clients also receives the full chain of
> certificates. I think, from your response above, that openssl auto chain
> building is responsible for that (you also made the same reply in
> http://forum.nginx.org/read.php?2,248153,248168#msg-248168)
> 
> 1 - You say: "It shouldn't happen as long as there is at least one
> intermediate cert in ssl_certificate file". That's precisely what I want to
> avoid, include the while chain in the ssl_certificate file. Only adding
> alphassl intermediate cert in ssl_certificate (ie NO adding GlobalSign root
> cert) results in an error #20)
> 
> 2 - Googling a bit more, and totally shooting in the dark here, I also found
> that Openssl has an SSL_MODE_NO_AUTO_CHAIN flag that "...Allow an
> application to disable the automatic SSL chain building....". Isn't it
> something you could use to disable the auto chain building? (originated from
> http://t93518.encryption-openssl-development.encryptiontalk.info/ssl-server-root-certs-and-client-auth-t93518.html
> I think)
> 
> Thanks for any input anyway!

Thanks, this looks like correct flag to use.  Try the following 
patch:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -277,6 +277,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
 
+#ifdef SSL_MODE_NO_AUTO_CHAIN
+    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
+#endif
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);


-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list