[PATCH] fix/unify access to SSL_CTX certificate chains
mdounin at mdounin.ru
Mon May 13 12:30:02 UTC 2019
On Mon, May 13, 2019 at 08:16:13AM +0200, Elias Ohm via nginx-devel wrote:
> src/event/ngx_event_openssl_stapling.c | 10 ++++++++--
> 1 files changed, 8 insertions(+), 2 deletions(-)
> # HG changeset patch
> # User Elias Ohm <eohm at novomind.com>
> # Date 1557697215 -7200
> # Sun May 12 23:40:15 2019 +0200
> # Node ID 6c1d44aa7054fb130ece5432119d04971b586795
> # Parent 16a1adadf43751f59257ba419f6bacd530dd19d3
> fix/unify access to SSL_CTX certificate chains
> for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is always global to the context.
> reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions).
> however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls back to read chain_certs when no extra_certs are available but breaks for some other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here.
You may want to be more specific here:
LibreSSL 2.9.1 introduced partial support for per-certificate
chains, yet failed to introduce appropriate changes in
SSL_CTX_get_extra_chain_certs(). Quoting documentation for
SSL_CTX_get_extra_chain_certs(), as recently added to OpenSSL:
: SSL_CTX_get_extra_chain_certs() retrieves the extra chain
: certificates associated with ctx, or the chain associated with the
: current certificate of ctx if the extra chain is empty.
This behaviour was in OpenSSL since original introduction of
per-certificate chains in OpenSSL 1.0.2, so a code can safely
use SSL_CTX_get_extra_chain_certs() to get the best of the
available chains regardless of how certificate chains were set.
And this is what the code in question in nginx does - it uses
SSL_CTX_get_extra_chain_certs() to get the best of the available
While I generally like LibreSSL, this looks like a LibreSSL bug to
me. And instead of trying to fix working code in nginx, you may
want to focus on fixing SSL_CTX_get_extra_chain_certs() in
More information about the nginx-devel