Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 May 2019 00:21:13 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1
Message-ID:  <bug-237757-7788-MXZmLQ9Bis@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-237757-7788@https.bugs.freebsd.org/bugzilla/>
References:  <bug-237757-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237757

--- Comment #5 from Elias Ohm <info@eliasohm.de> ---
I do not exactly now why to use LibreSSL instead of OpenSSL, but anyway had=
 a
look on hat issue yust for interest.

I din't check commit history for LireSSL 2.9.1, but eighter

- the cause for bringing that up now ist just this one `   - Implemented
further missing OpenSSL 1.1 API.` (implemented API function
SSL_CTX_set0_chain_certs)

if this function is defined new then nginx just switches to use this functi=
on
which referes to a chain attached to a certificate in the context instead o=
f an
extra chain available at the context.. Whereas the parts in nginx that reads
the chain did not implement the get-counter part but sticked at the OpenSSL
1.0.1 function SSL_CTX_get_extra_chain_certs). the function is implemented
differently in OpenSSL and LibreSSL, OpenSSL falls back to the certificate
chain if no extra chain is present so never fall about the inconsitency in
nginx Code where LibreSSL implemented that function with the semantics of t=
he
OpenSSL SSL_CTX_get_extra_chain_certs_only (so no fallback to the certifica=
te
chain)

- or LibreSSL now decided to to Change sematics of
SSL_CTX_get_extra_chain_certs to that of the OpenSSLs
SSL_CTX_get_extra_chain_certs_only=E2=80=A6

In effect the certificate chain has been stored on the chain field belongin=
g to
the certificate but for the stapling check it tried to read that from the
extra_chain (so getting no certificate to verify and passing empty value for
chain to OCSP_basic_verify, resulting in "signer certificate not found"...


So if You want to have it work You can try with attached patch.
I also submitted it to nginx directly as this is a thing that should be
generally fixed (even when it's working with OpenSSL it's not fine to not u=
se
the correct counter parts of newly implemeted interfaces).

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237757-7788-MXZmLQ9Bis>