[PATCH] RSA+DSA+ECC bundles

Maxim Dounin mdounin at mdounin.ru
Sat Oct 19 10:14:24 UTC 2013


Hello!

On Sat, Oct 19, 2013 at 12:06:57AM +0100, Rob Stradling wrote:

> On 17/10/13 23:00, Piotr Sikora wrote:
> >Hey,
> >
> >>I would rather see ssl_certificates to be used this way, something
> >>like:
> >>
> >>     ssl_certificate      rsa.crt;
> >>     ssl_certificate_key  rsa.key;
> >>
> >>     ssl_certificate      ecc.crt;
> >>     ssl_certificate_key  ecc.key;
> >
> >Yeah, I'm in favor of that syntax as well.
> >
> >>AFAIR, OpenSSL only able to store one certificate chain per
> >>SSL_CTX, which is the root cause of the problem.
> >
> >That's solved in OpenSSL-1.0.2 (unreleased).
> 
> Thanks Piotr.  I tried building Nginx with my v2 patch against
> OpenSSL_1_0_2, but I didn't see any change in behaviour.  i.e. With
> an RSA cert and an ECC cert issued by different CAs, Nginx sends the
> intermediate certs from both chains in both cases.
> 
> Nginx uses SSL_CTX_add_extra_chain_cert(), and I think that might be
> the problem.  That function's 1_0_2 man page says "Different chains
> for different certificates (for example if both RSA and DSA
> certificates are specified by the same server) or different SSL
> structures with the same parent SSL_CTX cannot be specified using
> this function. For more flexibility functions such as
> SSL_add1_chain_cert() should be used instead."
> 
> I'll investigate more next week.

The SSL_add1_chain_cert() function documentation says:

: These functions were first added to OpenSSL 1.0.2.

That is, they aren't yet available.

> >For now, the one thing we could do is to let OpenSSL build certificate
> >chains from the trusted certificates store... In order to do that, all
> >we need to do is to load only the first certificate in the file (i.e.
> >don't load intermediate certificates) in case there are multiple
> >certificates defined. This way, OpenSSL will try to build the
> >certificate chain automatically (unfortunately, it will do that on the
> >fly for each connection, so it's a noticeable overhead).
> 
> Yes, but (assuming "...from the trusted certificates store" would do
> syscalls and disk access for every connection) hasn't Maxim already
> said that that overhead would be unacceptable?

This would be bad for sure, but the message you've referenced says 
about CApath vs. CAfile.  We have the ssl_trusted_certificate 
directive which loads certs to the trusted certificates store.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list