mdounin at mdounin.ru
Sat May 21 01:46:44 UTC 2022
On Fri, May 20, 2022 at 04:02:08PM +0200, Vedran Vidovic wrote:
> thanks for the extensive answer.
> I will try to pursue a solution similar to your suggestion:
> - convert intermediate CA certificate to trusted certificate
> - validate client certificate using trusted certificate
> I still believe that addition of the new configuration option
> "ssl_verify_partial_chain" would benefit nginx because if
> we configure it using the "ssl_trusted_certificate" it doesn't
> send a list of allowed CAs to the client. We just can't cover
> the case when we want to send a list of allowed issuers
> (without their root certs) without changes to nginx.
Sure, it could be beneficial to provide proper list of allowed
certificate authorities during the SSL handshake. But, as already
suggested, it should be possible to solve this without introducing
additional options. Further, given the comments in the OpenSSL
ticket, it might be something to address on the OpenSSL side if
OpenSSL team is willing to simplify providing explicit trust
> In my view, if I configure a certificate I1 as a trusted issuer, I should not be enforced
> to add its issuer to list of trusted certificates. I would like to tell my server to trust all
> certificates issued by certificate I1 (and not by it's root issuer). Similar functionality
> is available in some other products I used and it seems natural to me but people
> with different background can (of course) disagree.
I agree that this approach is more natural and easier to
understand than OpenSSL's default (and the only available till
OpenSSL 1.0.2) "we have to build a chain up to a self-signed root
(Further, one of the practical use cases for this might be
checking OCSP responses in OCSP Stapling, which are expected to be
signed by the certificate issuer, so no additional certificates
should be required for the OCSP response verification, which is
not currently the case, see
What I don't like is the idea of introducing additional
verification options, which will further complicate things.
We might actually consider enabling X509_V_FLAG_PARTIAL_CHAIN by
default if available, though this might be something to carefully
consider to ensure there will be no unwanted side-effects.
> Use Case 2 for such an approach (a real use case):
> On a more practical note, we need to trust all certs issued by any of the
> issuer certs from the EU trusted certificates list site and root certs are
> not published there.
Interesting, thanks for the details.
More information about the nginx-devel