trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: TLS wishlist: Chained SSL certificates
Date Mon, 24 Feb 2014 23:50:52 GMT


Am 25.02.2014 00:42, schrieb James Peach:
> On Jan 31, 2014, at 9:14 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
>> one thing would be fine too
>>
>> * having a PEM file with Cert/Key/Intermediate-CA
>> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
>>
>> the valid usecase here is that the wildcard-cert we are using starting
>> with 2014/01 is used for mail, http and whatnot - dovecot has no config
>> for the CA file, so the PEM file contains already the full chain which
>> looks like at the bottom
>>
>> in case of different certs from different CA's used for different
>> services this my make things less error-prone, not a big deal, only
>> a wish if someone has the knowledge and is willing to implement it
> 
> I think that this should be straightforward. I even have a comment in the code saying
that using a different OpenSSL API would make this work. Does this patch work?

thanks for feedback, sadly i am out of test environments for that because
the testservers are all using self-signed certificates with no CA

for the moment i can apply that to 4.2.0 RC0 and verify normal TLS
operations and as soon 4.20 is out test it on the production machine
which for now only has one more or less testing domain for TLS

i should not copy the 3 years valid wildcard cert to test-VM's :-)

unified diff as attachment would be appreciated for rpmbuild
c&p likely damages patchfiles

> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index ca1b82b..6311834 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -449,7 +449,7 @@ SSLInitServerContext(
>    // also loads only the first certificate, but it allows the intermediate CA certificate
chain to
>    // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL
0.9.3.
>    completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
> -  if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM))
{
> +  if (!SSL_CTX_use_certificate_chain_file(ctx, completeServerCertPath)) {
>      SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
>      goto fail;
>    }
> 
> 
>> __________________________________________
>>
>> http://wiki2.dovecot.org/SSL/DovecotConfiguration
>>
>> Chained SSL certificates
>>
>> Put all the certificates in the ssl_cert file. For example when using a certificate
>> signed by TDC the correct order is:
>>    Dovecot's public certificate
>>    TDC SSL Server CA
>>    TDC Internet Root CA
>>    Globalsign Partners CA
>> __________________________________________
>>
>> [root@proxy:~]$ cat /etc/pki/wildcard.pem
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN PRIVATE KEY-----
>> ********************
>> -----END PRIVATE KEY-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----


Mime
View raw message