6

I have a custom easyrsa setup with a root and three CAs signed by the root. (Three different sub-cas depending on the user type), like this:

RootCA
  +----- AdminUserCA
  +----- EmployeeCA
  +----- ClientCA

I have authentication working with the following config:

server {
  listen               127.0.0.1:443;
  server_name          www.acme.corp;
  ssl                  on;
  ssl_certificate      /data/src/easy-rsa/bundles/www.acme.corp_bundle.crt;
  ssl_certificate_key  /data/src/easy-rsa/whfWebCA/pki/private/www.acme.corp.key;
  add_header           Strict-Transport-Security "max-age=315360000; includeSubdomains";
  ssl_protocols        SSLv3 TLSv1;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
  ssl_prefer_server_ciphers on;
  ssl_verify_client optional;
  ssl_client_certificate /data/src/easy-rsa/bundles/client_auth_ca_chain.crt;
  ssl_verify_depth 2;
  ssl_crl /data/src/easy-rsa/bundles/crls/all.pem;

  ...
}

The problem is with the CRL checking. CRLs are signed by the issuing CA therefore they can not be appened together like intermediate certificate+root certificates.

So a user's certificate will be issued by the given intermediate CA depending on their user type. The problem is I really need to check four CRL lists to be effective. The nginx ssl_crl only supports a single file.

So my question is: Is it possible to have nginx correctly check for a client certificate revokation in this setup without having to do the check in my application?

ErebusBat
  • 905
  • 4
  • 12
  • 21

2 Answers2

2

Yes, it is possible. Just concatenate multiple PEM-encoded CRLs into a single file specified in the ssl_crl directive.

(A question in nginx mailing list referenced this question. Posting the answer here as well.)

Maxim Dounin
  • 3,466
  • 17
  • 22
  • I tried this and it did not work. Is there a specific process or version of nginx for this to function correctly? – ErebusBat Apr 23 '14 at 02:33
  • Any version with ssl_crl will do (0.8.7+), it's handled within OpenSSL library. If it "did not work", please define "did not work". – Maxim Dounin May 08 '14 at 18:44
0

You have to concatenate all the CRL in chain: Root CA and Intermediate CAs.

Using openssl crl -in crl_list.crl -noout -text only read the first crl, but nginx reads them correctly and validate the user certificate.

Inspired by: https://www.ruby-forum.com/topic/6874370