Does ssl_trusted_certificate actually send certs to client?

shumisha nginx-forum at nginx.us
Sun Mar 1 12:05:43 UTC 2015


Hi
I'm facing this problem as well, though in a different context: OCSP
stapling. Everything looks good without OCSP stapling: my ssl_certificate
file contain my domain (wildcard) cert from AlphaSSL, that doesn't require
any intermediate cert, so the domain cert is the only one in that file.

However to enable OCSP stapling, I have to specify the full cert chain in
ssl_trusted_certificate. I do this by including first GlobalSign root, then
alpha SSL intermediate. This works fine, and OCSP stapling is operating
normally.

But as a side effect, now clients also receives the full chain of
certificates. I think, from your response above, that openssl auto chain
building is responsible for that (you also made the same reply in
http://forum.nginx.org/read.php?2,248153,248168#msg-248168)

1 - You say: "It shouldn't happen as long as there is at least one
intermediate cert in ssl_certificate file". That's precisely what I want to
avoid, include the while chain in the ssl_certificate file. Only adding
alphassl intermediate cert in ssl_certificate (ie NO adding GlobalSign root
cert) results in an error #20)

2 - Googling a bit more, and totally shooting in the dark here, I also found
that Openssl has an SSL_MODE_NO_AUTO_CHAIN flag that "...Allow an
application to disable the automatic SSL chain building....". Isn't it
something you could use to disable the auto chain building? (originated from
http://t93518.encryption-openssl-development.encryptiontalk.info/ssl-server-root-certs-and-client-auth-t93518.html
I think)

Thanks for any input anyway!

Cheers

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256613,256970#msg-256970



More information about the nginx mailing list