httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Wed, 26 Mar 2014 12:11:04 GMT
On 26/03/2014 11:11, Emilia Kasper wrote:
> Hi mod_ssl devs,
> I have a small patch for mod_ssl that uses new OpenSSL (>=1.0.2) methods when
> available to automatically rebuild misconfigured certificate chains.
> Github pull request:
> Some of the common server chain misconfigurations are a) including the
> self-signed root certificate in the chain and b) missing an intermediate
> certificate in the chain. a) is bad because it bloats the handshake and b) is
> bad because the client can't always validate the chain.
> The patch fixes a) by sanity-checking the chain and chopping self-signed roots.
> I believe it's harmless to turn on by default as the rebuild step will either
> yield a valid chain or preserve the original configuration.
> I've no good idea how to reliably detect and fix missing intermediates but would
> be happy to try out any good suggestions.

I think this is a good idea in principle. A major motivation for adding
SSL_CTX_build_cert_chain to OpenSSL was to correct common chain configuration
errors automatically (certificates in wrong order or additional bogus ones
added) and to detect some other cases (chain not complete). Badly configured
server chains have been a headache for clients for quite a while.

A secondary motivation was to improve efficiency by avoiding the "on the fly"
certificate chain building on each handshake and just build the chain once.

There are some side effects with doing this though.

If the server is correctly configured to exclude the root then the chain build
will fail. The root is needed during path verification to see that the chain is

Some old "on the fly" configurations that place intermediate CAs in the trusted
store are also likely to fail.

Possible workaround is a way to turn off the checking an
"IReallyKnowWhatImDoing" kind of thing which is disabled by default. Or just
require affected users to reconfigure their servers.

As for the patch itself. There could be a cleaner way to achieve the same thing.
We're already optionally iterating through all certificates for OCSP staping
using the 1.0.2 APIs so perhaps that can be adapted to perform a chain build
sanity check at the same time.

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message