[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Intermediate SSL certificates
 Date:  Mon, 21 Nov 2011 11:25:49 +0100
Hi!

We have problems here with a rapid SSL certificate. It requires a
certificate chain with two intermediate certificates. After looking
into the patch for mini_http contributed by Bernie O'Connor [1], I'm
not sure, if it implements the certificate chain correctly.

1 if ( certfile[0] != '\0' )
2   if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM
) == 0 ||
3      if ( SSL_CTX_use_certificate_chain_file( ssl_ctx, certfile ) == 0
||
4           SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile,
SSL_FILETYPE_PEM ) == 0 ||
5           SSL_CTX_check_private_key( ssl_ctx ) == 0
6      )


line 2: first, get ssl certificate,
        SSL_CTX_use_certificate_file() loads the first certificate stored
        in file into ctx.
line 3: get certificate chain
        from ssl_ctx_use_certificate_chain_file(3):
        "SSL_CTX_use_certificate_chain_file() adds the first certificate
        found in the file to the certificate store. The other certificates
        are added to the store of chain certificates using
        ssl_ctx_add_extra_chain_cert(3).
line 4: get private key

So probably line 2 is obsoleted by line 3, isn't it? Does it harm?


[1]
https://github.com/resmo/mirror-m0n0wall-svn/commit/9c3c5dd1ecc06147cf74f935e83d4f8198ab1291

-- 
---------------------------------------------------------------------------
 copyleft(c) by |   _-_     "Whip me. Beat me. Make me maintain AIX." (By
 Peter Allgeyer | 0(o_o)0   Stephan Zielinski)
---------------oOO--(_)--OOo-----------------------------------------------