[PATCH] RSA+DSA+ECC bundles

Rob Stradling rob.stradling at comodo.com
Fri Oct 18 23:06:57 UTC 2013 

On 17/10/13 23:00, Piotr Sikora wrote:
> Hey,
>
>> I would rather see ssl_certificates to be used this way, something
>> like:
>>
>>      ssl_certificate      rsa.crt;
>>      ssl_certificate_key  rsa.key;
>>
>>      ssl_certificate      ecc.crt;
>>      ssl_certificate_key  ecc.key;
>
> Yeah, I'm in favor of that syntax as well.
>
>> AFAIR, OpenSSL only able to store one certificate chain per
>> SSL_CTX, which is the root cause of the problem.
>
> That's solved in OpenSSL-1.0.2 (unreleased).

Thanks Piotr.  I tried building Nginx with my v2 patch against 
OpenSSL_1_0_2, but I didn't see any change in behaviour.  i.e. With an 
RSA cert and an ECC cert issued by different CAs, Nginx sends the 
intermediate certs from both chains in both cases.

Nginx uses SSL_CTX_add_extra_chain_cert(), and I think that might be the 
problem.  That function's 1_0_2 man page says "Different chains for 
different certificates (for example if both RSA and DSA certificates are 
specified by the same server) or different SSL structures with the same 
parent SSL_CTX cannot be specified using this function. For more 
flexibility functions such as SSL_add1_chain_cert() should be used instead."

I'll investigate more next week.

> For now, the one thing we could do is to let OpenSSL build certificate
> chains from the trusted certificates store... In order to do that, all
> we need to do is to load only the first certificate in the file (i.e.
> don't load intermediate certificates) in case there are multiple
> certificates defined. This way, OpenSSL will try to build the
> certificate chain automatically (unfortunately, it will do that on the
> fly for each connection, so it's a noticeable overhead).

Yes, but (assuming "...from the trusted certificates store" would do 
syscalls and disk access for every connection) hasn't Maxim already said 
that that overhead would be unacceptable?

> Optimized version of that could compare intermediates from all the
> files and only do that in case they differ.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the nginx-devel mailing list