On 19/10/13 11:14, Maxim Dounin wrote: <snip>
I'll investigate more next week.
The SSL_add1_chain_cert() function documentation says:
: These functions were first added to OpenSSL 1.0.2.
That is, they aren't yet available.
True. FWIW, changing "SSL_CTX_add_extra_chain_cert" to "SSL_CTX_add1_chain_cert" in ngx_event_openssl.c and compiling against OpenSSL_1_0_2 does give the desired behaviour though.
For now, the one thing we could do is to let OpenSSL build certificate chains from the trusted certificates store... In order to do that, all we need to do is to load only the first certificate in the file (i.e. don't load intermediate certificates) in case there are multiple certificates defined. This way, OpenSSL will try to build the certificate chain automatically (unfortunately, it will do that on the fly for each connection, so it's a noticeable overhead).
Yes, but (assuming "...from the trusted certificates store" would do syscalls and disk access for every connection) hasn't Maxim already said that that overhead would be unacceptable?
This would be bad for sure, but the message you've referenced says about CApath vs. CAfile. We have the ssl_trusted_certificate directive which loads certs to the trusted certificates store.
Ah, I see. It's just "CApath" that you want to avoid, and ssl_trusted_certificate is basically the same thing as "CAfile".
To keep things simple for users, I think it would be best for Nginx to keep expecting to find the intermediate CA certs at the end of the ssl_certificate file (rather than require users to put them in the ssl_trusted_certificate file under certain circumstances). But I agree with using the "trusted certificates store" under the hood. The following approach seems to work:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L // OpenSSL 1.0.2 lets us do this properly Call SSL_CTX_add1_chain_cert(ssl->ctx, x509) #else If (number of ssl_certificate directives > 1) // Put this intermediate in the "trusted certificates store" Call X509_STORE_add_cert(ssl->ctx->cert_store, x509) Else // This is what Nginx does currently Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) End If #endif
(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate not found" from the stapling code in both cases where I don't call SSL_CTX_add_extra_chain_cert() - another thing to look into!)