Using default CA path from openssl

Michal Cichra michal at 3scale.net
Wed Sep 10 22:56:29 UTC 2014


Hi,

first I would like to thank for the proxy ssl verification that landed in nginx 1.7.

Regarding that, there is one slight problem I’ve found, when creating a proxy, that dynamically accesses different hosts.
The configuration is limited to setting a certificate and does not use CA path at all.

Openssl has compiled in default where is default CA path and on some distributions it points to system trusted CA store.

What I propose is a configuration flag, to set `SSL_CTX_set_default_verify_paths`.

My not polished patch is: 
--- bundle/nginx-1.7.4/src/event/ngx_event_openssl.c.orig	2014-09-10 23:33:09.000000000 +0200
+++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c	2014-09-10 23:33:49.000000000 +0200
@@ -498,6 +498,7 @@
     SSL_CTX_set_verify_depth(ssl->ctx, depth);

     if (cert->len == 0) {
+        SSL_CTX_set_default_verify_paths(ssl->ctx);
         return NGX_OK;
     }

When there is no certificate, load defaults. That certainly has some drawbacks. So I would propose something like `proxy_ssl_trusted_certificate system;`.

What do you think? It could increase the memory load, but it is really convenient for general ssl verification.

Other proposed solution ( https://groups.google.com/forum/#!topic/openresty-en/SuqORBK9ys0 ) was to export system certificates, and load them from one file.
That does not work for me, as I need to make reusable nginx configuration, that can be deployed on many platforms and it would be hard to instruct people how to do it.

Best,
Michal Cichra


More information about the nginx mailing list