OCSP, ssl_trusted_certificate, and ssl_stapling_verify

Maxim Dounin mdounin at mdounin.ru
Thu Mar 6 04:31:22 UTC 2014


Hello!

On Wed, Mar 05, 2014 at 11:49:24AM -0800, Scott Larson wrote:

>      In setting up OCSP stapling on 1.5.10 I've found it behaving in a way
> which is opposite to what I perceive is documented. There it states that
> the contents of ssl_trusted_certificate are not sent to the client. However
> when I enable ssl_stapling_verify, which requires the inclusion of in this
> case the GeoTrust root certificate for the OCSP response to work, this root
> certificate is included in the response back to the client.
>      Am I just interpreting the documentation incorrectly? It's not a dire
> issue, simply unexpected, and when including the root cert the SSL
> handshake increases from 4434 bytes to 5293.

The difference between ssl_trusted_certificate and 
ssl_client_certificate is that latter is sent to a client in a 
certificate request, in a list of distinguished names of accepted 
certifcate authorities, see here:

http://tools.ietf.org/html/rfc5246#section-7.4.4

What you see is likely auto chain building as done by OpenSSL if 
certificate chain isn't explicitly specified.  It shouldn't happen 
as long as there is at least one intermediate cert in 
ssl_certificate file.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list