[ previous ] [ next ] [ threads ]
 From:  Bernie O'Connor <Bernie dot OConnor at sas dot com>
 To:  "m0n0wall dash dev at lists dot m0n0 dot ch" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Intermediate SSL certificates
 Date:  Wed, 14 Dec 2011 14:04:27 +0000
Just to complete this thread - I sent a response directly back to Peter but did not hear back if
that resolved his issue.  The response:

I found that the order of certificates is critical.  Can you confirm that you paste the client
certificate first in the form, then the intermediate certificate below it.  I am not a programmer
(and definitely not a certificate expert) so I can't answer your question about line 3 obsoleting
line 2.  

-----Original Message-----
From: Peter Allgeyer [mailto:allgeyer at web dot de] 
Sent: Monday, November 21, 2011 5:26 AM
To: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: [m0n0wall-dev] Intermediate SSL certificates


We have problems here with a rapid SSL certificate. It requires a certificate chain with two
intermediate certificates. After looking into the patch for mini_http contributed by Bernie O'Connor
[1], I'm not sure, if it implements the certificate chain correctly.

1 if ( certfile[0] != '\0' )
2   if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM
) == 0 ||
3      if ( SSL_CTX_use_certificate_chain_file( ssl_ctx, certfile ) == 0
4           SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile,
5           SSL_CTX_check_private_key( ssl_ctx ) == 0
6      )

line 2: first, get ssl certificate,
        SSL_CTX_use_certificate_file() loads the first certificate stored
        in file into ctx.
line 3: get certificate chain
        from ssl_ctx_use_certificate_chain_file(3):
        "SSL_CTX_use_certificate_chain_file() adds the first certificate
        found in the file to the certificate store. The other certificates
        are added to the store of chain certificates using
line 4: get private key

So probably line 2 is obsoleted by line 3, isn't it? Does it harm?


 copyleft(c) by |   _-_     "Whip me. Beat me. Make me maintain AIX." (By
 Peter Allgeyer | 0(o_o)0   Stephan Zielinski)

To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch