Certificate Chain Validation

Maxim Dounin mdounin at mdounin.ru
Mon Feb 3 13:44:03 UTC 2020


On Thu, Jan 30, 2020 at 10:55:03AM -0500, slowgary wrote:

> Thanks for the correction Maxim. I tested this before posting by using an
> old certificate. Nginx did not throw an error but the browser did notify
> that the connection was insecure.

Depending on what exactly "certificate chain validation" in the 
original question was intended to mean, there may be at least 
three cases considered:

1. Certificate chains as configured for nginx itself, by using 
within the ssl_certificate directive 
(http://nginx.org/r/ssl_certificate).  For these certificates 
nginx does not try to do any validation (and in most cases it 
simply can't do it - in particular, because it doesn't know the 
name to be used by clients, and doesn't have a root certificate to 
validate against).

2. Certificate chains as presented by a client, as per the 
ssl_verify_client directive 
(http://nginx.org/r/ssl_verify_client).  These chains are always 
properly validated, including expiration of all intermediate 
certificates and the certificate itself.

3. Certificate chains as presented by an upstream server, when 
using proxy_pass to an https://... URL.  These chains are properly 
validated as long as the proxy_ssl_verify directive is on 
(http://nginx.org/r/proxy_ssl_verify).  Note though that this is 
not the default behaviour, and by default nginx will not try to 
validate upstream server certificates at all.

Given that the original question asks if nginx will "proceed or 
will it break the connection", I suspect the question is either 
about (2) or (3), as (1) hardly make sense during a particular 
connection handling.

If you think that you see nginx accepting an expired certificate 
from a client, or accepting an expired certificate from an 
upstream server with proxy_ssl_verify switched on - please report 
more details.

If you've assumed (1), the statement you've made is anyway too 
broad to be true, as clearly nginx _does_ validate the expiration 
date of certificates - as long as it does any validation at all.

Maxim Dounin

More information about the nginx mailing list