[RFC][PATCH 0/1] Add option to use directory for trusted CAs

Maxim Dounin mdounin at mdounin.ru
Fri Jul 7 16:59:00 UTC 2023


Hello!

On Fri, Jul 07, 2023 at 06:02:14PM +0300, Eero Aaltonen via nginx-devel wrote:

> From: Eero Aaltonen <eero.aaltonen at vaisala.com>
> 
> I was looking for an option to configure the trusted CAs using a directory,
> equivalent to the OpenSSL -CApath option. The option seemed to be missing, so
> here's a minimal working example of what I would like to accomplish.
> 
> The current version is still missing code to populate the list used for
> SSL_CTX_set_client_CA_list, but enough to actually verify a certificate chain
> using CAs in the 'ssl_client_ca_dir' specified directory.
> 
> Comments appreciated.

The option to configure CAs using a directory is missing 
intentionally, as loading relevant CA certificates into memory is 
expected to be more efficient than checking things on disk on each 
connection.

If you are nevertheless interested in configuring a directory, 
consider using ssl_conf_command with VerifyCAPath/ClientCAPath 
(https://nginx.org/r/ssl_conf_command, 
https://nginx.org/r/proxy_ssl_conf_command)).

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list