Opened 9 years ago

Last modified 7 years ago

#782 reopened enhancement

nginx doesn't check delta CRLs

Reported by: Niko Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.9.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.9.4
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled

Description

Hi,

we are using nginx for certificate authentication. We have multiple trusted certificate authorities (CA) and related certificate revokation lists (CRL) in one pem file which is updated on a daily basis:

ssl_client_certificate /etc/nginx/clientcerts/trustedCAs.pem;
ssl_crl /etc/nginx/clientcerts/revoked_certs.pem;

This works fine so far when a certificate authority has only one corresponding CRL. However when a CA uses so called "Delta CRLs", a revoked client certificate which is only present in the delta CRL seems to not be read by nginx. The revoked certificate is accepted by nginx. If the revoked certificate is directly inserted into the "main" CRL, nginx declines the authentication.

Does nginx support "Delta CRLS"? I believe this is a security issue, because there may be some certificate authorities which make use of ""Delta CRLs". If nginx ignores them, a client certificate is accepted although it is revoked.

Change History (4)

comment:1 by Maxim Dounin, 9 years ago

Resolution: invalid
Status: newclosed

CRLs are loaded from the file specified. If you want nginx to load multiple CRLs (that is, "main" CRL and "delta" CRLs), concatenate them together into one file.

comment:2 by Niko, 9 years ago

We know that we have to concatenate all CRLs into one pem file from our trusted CAS.

We have the case, that one certificate authority has multiple CRLs in this concatenated CRL pem file. These CRLs refer to the same CA. The delta CRL pem is the second CRL which only extends the main CRL pem file of the CA. In our tests a revoked certificate which was only present in the delta CRL isn't revoked by nginx.

I am talking about the Delta CRL functionality which is defined in the RFC 5280 (https://www.ietf.org/rfc/rfc5280.txt). It could be the case that nginx doesn't read the delta CRLs correctly. Or is this functionalitynot implemented?

comment:3 by Maxim Dounin, 9 years ago

Resolution: invalid
Status: closedreopened

Ah, I think I see what's going on here.

What nginx does is the call to appropriate OpenSSL function to load a file with CRLs. It's up to OpenSSL to handle the rest. The result is similar to what's done by the below check with openssl s_client (assuming root_and_crl.pem contains needed certificates and CRLs in the PEM format):

openssl s_client -connect example.com:443 -CAfile root_and_crl.pem -crl_check_all

Though looking into the OpenSSL code suggests that it won't use CRL deltas by default. In OpenSSL 1.0.0+ CRL deltas are supported, but not used unless a special option is given, -use_deltas. This option maps to the X509_V_FLAG_USE_DELTAS verification flag.

Not sure why deltas are not checked by default. If there is no good reason, we may consider using the flag if it's supported by the OpenSSL version used, patch below:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -644,8 +644,12 @@ ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *s
         return NGX_ERROR;
     }
 
-    X509_STORE_set_flags(store,
-                         X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK
+                                |X509_V_FLAG_CRL_CHECK_ALL
+#ifdef X509_V_FLAG_USE_DELTAS
+                                |X509_V_FLAG_USE_DELTAS
+#endif
+    );
 
     return NGX_OK;
 }

I don't have any CAs using CRL detlas on hand, testing is appreciated.

comment:4 by Maxim Dounin, 7 years ago

Type: defectenhancement
Note: See TracTickets for help on using tickets.