On Tue, Oct 22, 2013 at 02:31:01PM +0100, Rob Stradling wrote:
On 22/10/13 13:09, Maxim Dounin wrote:
On Mon, Oct 21, 2013 at 10:40:43PM +0100, Rob Stradling wrote:
<snip> >>The following approach seems to work: >> >>#if OPENSSL_VERSION_NUMBER >= 0x10002000L >> // OpenSSL 1.0.2 lets us do this properly >> Call SSL_CTX_add1_chain_cert(ssl->ctx, x509) >>#else >> If (number of ssl_certificate directives > 1) >> // Put this intermediate in the "trusted certificates store" >> Call X509_STORE_add_cert(ssl->ctx->cert_store, x509) >> Else >> // This is what Nginx does currently >> Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) >> End If >>#endif > >An unwanted side effect would be that this will allow client >certificate authentication to use certs from a server's >certificate chain. Probably not something we want to happen.
Yes, that's a potentially unwanted side effect. But unfortunately, AFAICT, putting the intermediates into the "trusted certificates store" is the only way to implement this feature with OpenSSL <1.0.2.
Could you live with this side effect if the user had to explicitly enable it? Like this...
I think this should be left up to a user. That is, if user want us to work this way, he can use the ssl_trusted_certificate directive to supply needed certs.
(A side effect is that I'm seeing "OCSP_basic_verify:signer certificate not found" from the stapling code in both cases where I don't call SSL_CTX_add_extra_chain_cert() - another thing to look into!)
OCSP Stapling code uses certificate chain as available via SSL_CTX_get_extra_chain_certs() to look for issuer cert, see ngx_ssl_stapling_issuer().
Yep, I'd found that.
Though certs from a trusted store should be used too.
ngx_event_openssl_stapling.c provides OCSP_basic_verify() with 3 places to look for certs: inside the OCSP Response, the extra_chain_certs and the "trusted certificate store".
OCSP_basic_verify() calls ocsp_find_signer() to locate the certificate that signed the OCSP Response, but this function only looks in the first 2 of those 3 places. (There's a comment "/* Maybe lookup from store if by subject name */", but no associated code).
Err, sorry, I've somehow misread you mail and tought you are talking about "issuer certificate not found" errors. The OCSP_basic_verify() indeed will likely require additional fixes and/or workarounds.
This is a problem for OCSP Responses that are signed directly by the CA certificate (rather than by a delegated OCSP Response Signing Certificate). It currently works because that CA certificate is almost certainly present in extra_chain_certs. But, to support RSA+DSA+ECC certs signed by different intermediates, we already established that we can't use extra_chain_certs.
To workaround this, I think the only option would be to pass to OCSP_basic_verify() a different STACK_OF(X509) that includes all of the extra_chain_certs plus whatever other CA certificates that Nginx can lay its hands on!
Given the number of problems, it might be easier to assume the chains must be the same. How it looks from a CA point of view?