[Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon May 13 00:21:17 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237757

--- Comment #5 from Elias Ohm <info at eliasohm.de> ---
I do not exactly now why to use LibreSSL instead of OpenSSL, but anyway had a
look on hat issue yust for interest.

I din't check commit history for LireSSL 2.9.1, but eighter

- the cause for bringing that up now ist just this one `   - Implemented
further missing OpenSSL 1.1 API.` (implemented API function
SSL_CTX_set0_chain_certs)

if this function is defined new then nginx just switches to use this function
which referes to a chain attached to a certificate in the context instead of an
extra chain available at the context.. Whereas the parts in nginx that reads
the chain did not implement the get-counter part but sticked at the OpenSSL
1.0.1 function SSL_CTX_get_extra_chain_certs). the function is implemented
differently in OpenSSL and LibreSSL, OpenSSL falls back to the certificate
chain if no extra chain is present so never fall about the inconsitency in
nginx Code where LibreSSL implemented that function with the semantics of the
OpenSSL SSL_CTX_get_extra_chain_certs_only (so no fallback to the certificate
chain)

- or LibreSSL now decided to to Change sematics of
SSL_CTX_get_extra_chain_certs to that of the OpenSSLs
SSL_CTX_get_extra_chain_certs_only…

In effect the certificate chain has been stored on the chain field belonging to
the certificate but for the stapling check it tried to read that from the
extra_chain (so getting no certificate to verify and passing empty value for
chain to OCSP_basic_verify, resulting in "signer certificate not found"...


So if You want to have it work You can try with attached patch.
I also submitted it to nginx directly as this is a thing that should be
generally fixed (even when it's working with OpenSSL it's not fine to not use
the correct counter parts of newly implemeted interfaces).

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list