ssl_verify_partial_chain

Maxim Dounin mdounin at mdounin.ru
Thu May 19 02:23:58 UTC 2022 

Hello!

On Wed, May 18, 2022 at 02:28:28PM +0200, Vedran Vidovic wrote:

>    We would like to be able to configure the mutual TLS client
>    authentication by:
>    - adding intermediate CA certificates
>    - without adding the root CA certificate for each intermediate
>    certificate
> 
>    If we add CA as a trusted issuer, we shouldn't need to add its issuer
>    to
>    the truststore (ssl_client_certificate).
> 
>    I propose a backward compatible solution to add a new configuration
>    option ssl_verify_partial_chain that can be turned on if the behaviour
>    described above is desired. This option enables the openssl library
>    partial_chain verification.

(First of all, just to make sure it's understood and this isn't 
something you are trying to do.  Note that if one want to limit 
access, it might be a good idea to use some actual authorization 
checks in additional to PKI, which essentially provides 
authentication.  Using narrow trust as a poor man's authorization 
checks is not the way to go.)

After reading https://github.com/openssl/openssl/issues/7871 I 
tend to think that a better solution might be to explicitly 
configure trust on the certificates if such configuration is 
needed.

Something like:

$ openssl x509 -in cert.pem -out trust.pem -trustout -addtrust anyExtendedKeyUsage

will do the trick.

For ssl_trusted_certificate / proxy_ssl_trusted_certificate this 
works out of the box (seems to work at least since OpenSSL 1.0.2, 
the same version where X509_V_FLAG_PARTIAL_CHAIN was introduced).

For ssl_client_certificate it needs some additional cert in the
file to work, as SSL_load_client_CA_file() is not able to parse
certificates with trust data.  (And such certificates won't be
advertized during SSL handshakes.)  Not sure if it's practical
problem, but if it is, it should be possible to adjust
SSL_load_client_CA_file() and/or switch to a different way to
create the CA list for SSL_CTX_set_client_CA_list().

[...]

> @@ -874,6 +874,25 @@
>  
>      SSL_CTX_set_verify_depth(ssl->ctx, depth);
>  
> +    if (partial_chain == 1) {
> +      X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();;
> +      if (param) {
> +        X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
> +        if (SSL_CTX_set1_param(ssl->ctx, param) == 0) {

Just in case, setting flags via X509_STORE_set_flags(), much like 
ngx_ssl_crl() does, should be much easier.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list