[ previous ] [ next ] [ threads ]
 
 From:  Bernie O'Connor <Bernie dot OConnor at sas dot com>
 To:  "m0n0wall dash dev at lists dot m0n0 dot ch" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Intermediate SSL certificates
 Date:  Wed, 14 Dec 2011 14:04:27 +0000 
Just to complete this thread - I sent a response directly back to Peter but did not hear back if
that resolved his issue.  The response:

I found that the order of certificates is critical.  Can you confirm that you paste the client
certificate first in the form, then the intermediate certificate below it.  I am not a programmer
(and definitely not a certificate expert) so I can't answer your question about line 3 obsoleting
line 2.  

-----Original Message-----
From: Peter Allgeyer [mailto:allgeyer at web dot de] 
Sent: Monday, November 21, 2011 5:26 AM
To: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: [m0n0wall-dev] Intermediate SSL certificates

Hi!

We have problems here with a rapid SSL certificate. It requires a certificate chain with two
intermediate certificates. After looking into the patch for mini_http contributed by Bernie O'Connor
[1], I'm not sure, if it implements the certificate chain correctly.

1 if ( certfile[0] != '\0' )
2   if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM
) == 0 ||
3      if ( SSL_CTX_use_certificate_chain_file( ssl_ctx, certfile ) == 0
||
4           SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile,
SSL_FILETYPE_PEM ) == 0 ||
5           SSL_CTX_check_private_key( ssl_ctx ) == 0
6      )


line 2: first, get ssl certificate,
        SSL_CTX_use_certificate_file() loads the first certificate stored
        in file into ctx.
line 3: get certificate chain
        from ssl_ctx_use_certificate_chain_file(3):
        "SSL_CTX_use_certificate_chain_file() adds the first certificate
        found in the file to the certificate store. The other certificates
        are added to the store of chain certificates using
        ssl_ctx_add_extra_chain_cert(3).
line 4: get private key

So probably line 2 is obsoleted by line 3, isn't it? Does it harm?


[1]
https://github.com/resmo/mirror-m0n0wall-svn/commit/9c3c5dd1ecc06147cf74f935e83d4f8198ab1291

--
---------------------------------------------------------------------------
 copyleft(c) by |   _-_     "Whip me. Beat me. Make me maintain AIX." (By
 Peter Allgeyer | 0(o_o)0   Stephan Zielinski)
---------------oOO--(_)--OOo-----------------------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch