Using default CA path from openssl
Maxim Dounin
mdounin at mdounin.ru
Thu Sep 11 15:00:08 UTC 2014
Hello!
On Thu, Sep 11, 2014 at 12:56:29AM +0200, Michal Cichra wrote:
> Hi,
>
> first I would like to thank for the proxy ssl verification that
> landed in nginx 1.7.
>
> Regarding that, there is one slight problem I’ve found, when
> creating a proxy, that dynamically accesses different hosts.
> The configuration is limited to setting a certificate and does
> not use CA path at all.
>
> Openssl has compiled in default where is default CA path and on
> some distributions it points to system trusted CA store.
>
> What I propose is a configuration flag, to set
> `SSL_CTX_set_default_verify_paths`.
>
> My not polished patch is:
> --- bundle/nginx-1.7.4/src/event/ngx_event_openssl.c.orig 2014-09-10 23:33:09.000000000 +0200
> +++ bundle/nginx-1.7.4/src/event/ngx_event_openssl.c 2014-09-10 23:33:49.000000000 +0200
> @@ -498,6 +498,7 @@
> SSL_CTX_set_verify_depth(ssl->ctx, depth);
>
> if (cert->len == 0) {
> + SSL_CTX_set_default_verify_paths(ssl->ctx);
> return NGX_OK;
> }
>
> When there is no certificate, load defaults. That certainly has
> some drawbacks. So I would propose something like
> `proxy_ssl_trusted_certificate system;`.
>
> What do you think? It could increase the memory load, but it is
> really convenient for general ssl verification.
Special value to load system default CA certs may make sense.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list