[PATCH] fix/unify access to SSL_CTX certificate chains

Maxim Dounin mdounin at mdounin.ru
Mon May 13 12:30:02 UTC 2019


On Mon, May 13, 2019 at 08:16:13AM +0200, Elias Ohm via nginx-devel wrote:

>  src/event/ngx_event_openssl_stapling.c |  10 ++++++++--
>  1 files changed, 8 insertions(+), 2 deletions(-)
> # HG changeset patch
> # User Elias Ohm <eohm at novomind.com>
> # Date 1557697215 -7200
> #      Sun May 12 23:40:15 2019 +0200
> # Node ID 6c1d44aa7054fb130ece5432119d04971b586795
> # Parent  16a1adadf43751f59257ba419f6bacd530dd19d3
> fix/unify access to SSL_CTX certificate chains
> for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is always global to the context.
> reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions).
> however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls back to read chain_certs when no extra_certs are available but breaks for some other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here.

You may want to be more specific here:

LibreSSL 2.9.1 introduced partial support for per-certificate 
chains, yet failed to introduce appropriate changes in 
SSL_CTX_get_extra_chain_certs().  Quoting documentation for 
SSL_CTX_get_extra_chain_certs(), as recently added to OpenSSL[1]:

: SSL_CTX_get_extra_chain_certs() retrieves the extra chain 
: certificates associated with ctx, or the chain associated with the 
: current certificate of ctx if the extra chain is empty.

This behaviour was in OpenSSL since original introduction of 
per-certificate chains in OpenSSL 1.0.2[2], so a code can safely 
use SSL_CTX_get_extra_chain_certs() to get the best of the 
available chains regardless of how certificate chains were set.  
And this is what the code in question in nginx does - it uses 
SSL_CTX_get_extra_chain_certs() to get the best of the available 

While I generally like LibreSSL, this looks like a LibreSSL bug to 
me.  And instead of trying to fix working code in nginx, you may 
want to focus on fixing SSL_CTX_get_extra_chain_certs() in 

[1] https://github.com/openssl/openssl/commit/dc703d6b469f1b186483a55b59013fbaca2228fd
[2] https://github.com/openssl/openssl/commit/a51f767645c117667d337f77fe1dd9c0a66d8410

Maxim Dounin

More information about the nginx-devel mailing list