Adding an option to only perform CRL checks for leaf nodes

Nicholas Humfrey njh at aelius.com
Thu Apr 27 20:07:32 UTC 2017


Thank you for your speedy reply.

Sorry, I had failed to find these threads while researching the problem.

nick.



On 2017-04-27 16:32, Jyrno Ader wrote:
> Seems to me that the current stance is that this won't be added. See
> 
> -
> http://mailman.nginx.org/pipermail/nginx-devel/2017-March/009599.html
> -
> http://mailman.nginx.org/pipermail/nginx-devel/2017-April/009784.html
> 
> Lugupidamisega,
> Jürno Ader
> 2017-04-27 18:18 GMT+03:00 Nicholas Humfrey <njh at aelius.com>:
> 
>> Hi,
>> 
>> I was having trouble getting CRL checks working for client
>> certificates and it turns out that the problem is because nginx
>> checks CRLs for all levels of the certificate hierarchy, but the CA
>> I am using does not publish CRLs for intermediate certificates.
>> 
>> It is not uncommon for the private key of the root CA certificate to
>> be locked-away offline in a safe, to prevent any other intermediate
>> certificates from being issued. However this means that CRLs cannot
>> be generated for the intermediate certificates, only the leaf
>> certificates. Hence only the leaf certificates can be CRL checked.
>> 
>> The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK
>> in OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.
>> 
>> Would you accept a patch that adds a new configuration option to
>> nginx to control this?
>> 
>> I was thinking the option might look like:
>> 
>> ssl_crl_check leaf;   # Only check if leaf certificates have been
>> revoked
>> ssl_crl_check all;    # Check the whole chain for revoked
>> certificates
>> 
>> The default behaviour would continue to be to check the whole chain.
>> 
>> Thanks,
>> 
>> nick.
>> 
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel [1]
> 
> 



More information about the nginx-devel mailing list