ssl_verify_partial_chain

Maxim Dounin mdounin at mdounin.ru
Sat May 21 01:46:44 UTC 2022


Hello!

On Fri, May 20, 2022 at 04:02:08PM +0200, Vedran Vidovic wrote:

> Hello,
>  
> thanks for the extensive answer.
>  
> I will try to pursue a solution similar to your suggestion:
> - convert intermediate CA certificate to trusted certificate
> - validate client certificate using trusted certificate
>  
> I still believe that addition of the new configuration option
> "ssl_verify_partial_chain" would benefit nginx because if
> we configure it using the "ssl_trusted_certificate" it doesn't
> send a list of allowed CAs to the client. We just can't cover
> the case when we want to send a list of allowed issuers
> (without their root certs) without changes to nginx.

Sure, it could be beneficial to provide proper list of allowed 
certificate authorities during the SSL handshake.  But, as already 
suggested, it should be possible to solve this without introducing 
additional options.  Further, given the comments in the OpenSSL 
ticket, it might be something to address on the OpenSSL side if 
OpenSSL team is willing to simplify providing explicit trust 
information.

> In my view, if I configure a certificate I1 as a trusted issuer, I should not be enforced
> to add its issuer to list of trusted certificates. I would like to tell my server to trust all
> certificates issued by certificate I1 (and not by it's root issuer). Similar functionality
> is available in some other products I used and it seems natural to me but people
> with different background can (of course) disagree.

I agree that this approach is more natural and easier to 
understand than OpenSSL's default (and the only available till 
OpenSSL 1.0.2) "we have to build a chain up to a self-signed root 
CA" approach.

(Further, one of the practical use cases for this might be 
checking OCSP responses in OCSP Stapling, which are expected to be 
signed by the certificate issuer, so no additional certificates 
should be required for the OCSP response verification, which is 
not currently the case, see 
http://nginx.org/r/ssl_stapling_verify.)

What I don't like is the idea of introducing additional 
verification options, which will further complicate things.

We might actually consider enabling X509_V_FLAG_PARTIAL_CHAIN by 
default if available, though this might be something to carefully 
consider to ensure there will be no unwanted side-effects.

[...]

> Use Case 2 for such an approach (a real use case):
> On a more practical note, we need to trust all certs issued by any of the
> issuer certs from the EU trusted certificates list site and root certs are
> not published there.

Interesting, thanks for the details.

-- 
Maxim Dounin
http://mdounin.ru/



More information about the nginx-devel mailing list