Intermediate SSL certificates

Discussion:

Peter Allgeyer

2011-11-21 10:25:49 UTC

Hi!

We have problems here with a rapid SSL certificate. It requires a
certificate chain with two intermediate certificates. After looking
into the patch for mini_http contributed by Bernie O'Connor [1], I'm
not sure, if it implements the certificate chain correctly.

1 if ( certfile[0] != '\0' )
2 if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM
) == 0 ||
3 if ( SSL_CTX_use_certificate_chain_file( ssl_ctx, certfile ) == 0
||
4 SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile,
SSL_FILETYPE_PEM ) == 0 ||
5 SSL_CTX_check_private_key( ssl_ctx ) == 0
6 )

line 2: first, get ssl certificate,
SSL_CTX_use_certificate_file() loads the first certificate stored
in file into ctx.
line 3: get certificate chain
from ssl_ctx_use_certificate_chain_file(3):
"SSL_CTX_use_certificate_chain_file() adds the first certificate
found in the file to the certificate store. The other certificates
are added to the store of chain certificates using
ssl_ctx_add_extra_chain_cert(3).
line 4: get private key

So probably line 2 is obsoleted by line 3, isn't it? Does it harm?

[1]
https://github.com/resmo/mirror-m0n0wall-svn/commit/9c3c5dd1ecc06147cf74f935e83d4f8198ab1291

--
---------------------------------------------------------------------------
copyleft(c) by | _-_ "Whip me. Beat me. Make me maintain AIX." (By
Peter Allgeyer | 0(o_o)0 Stephan Zielinski)
---------------oOO--(_)--OOo-----------------------------------------------

Bernie O'Connor

2011-12-14 14:04:27 UTC

Permalink

Just to complete this thread - I sent a response directly back to Peter but did not hear back if that resolved his issue. The response:

I found that the order of certificates is critical. Can you confirm that you paste the client certificate first in the form, then the intermediate certificate below it. I am not a programmer (and definitely not a certificate expert) so I can't answer your question about line 3 obsoleting line 2.

-----Original Message-----
From: Peter Allgeyer [mailto:***@web.de]
Sent: Monday, November 21, 2011 5:26 AM
To: m0n0wall-***@lists.m0n0.ch
Subject: [m0n0wall-dev] Intermediate SSL certificates

Hi!

We have problems here with a rapid SSL certificate. It requires a certificate chain with two intermediate certificates. After looking into the patch for mini_http contributed by Bernie O'Connor [1], I'm not sure, if it implements the certificate chain correctly.

1 if ( certfile[0] != '\0' )
2 if ( SSL_CTX_use_certificate_file( ssl_ctx, certfile, SSL_FILETYPE_PEM
) == 0 ||
3 if ( SSL_CTX_use_certificate_chain_file( ssl_ctx, certfile ) == 0
||
4 SSL_CTX_use_PrivateKey_file( ssl_ctx, certfile,
SSL_FILETYPE_PEM ) == 0 ||
5 SSL_CTX_check_private_key( ssl_ctx ) == 0
6 )

line 2: first, get ssl certificate,
SSL_CTX_use_certificate_file() loads the first certificate stored
in file into ctx.
line 3: get certificate chain
from ssl_ctx_use_certificate_chain_file(3):
"SSL_CTX_use_certificate_chain_file() adds the first certificate
found in the file to the certificate store. The other certificates
are added to the store of chain certificates using
ssl_ctx_add_extra_chain_cert(3).
line 4: get private key

So probably line 2 is obsoleted by line 3, isn't it? Does it harm?

[1]
https://github.com/resmo/mirror-m0n0wall-svn/commit/9c3c5dd1ecc06147cf74f935e83d4f8198ab1291
--
---------------------------------------------------------------------------
copyleft(c) by | _-_ "Whip me. Beat me. Make me maintain AIX." (By
Peter Allgeyer | 0(o_o)0 Stephan Zielinski)
---------------oOO--(_)--OOo-----------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall-dev-***@lists.m0n0.ch
For additional commands

Peter Allgeyer

2011-12-14 20:36:13 UTC

Permalink

Post by Bernie O'Connor
Just to complete this thread - I sent a response directly back to
I found that the order of certificates is critical. Can you confirm
that you paste the client certificate first in the form, then the
intermediate certificate below it. I am not a programmer (and
definitely not a certificate expert) so I can't answer your question
about line 3 obsoleting line 2.

Indeed the order of certificates is critical. It is working now, though
I'm still not sure, if the code is correct or could be slightly better.
Unfortunately I have no development system here at the moment, so I
can't test this out.

Regards

--
---------------------------------------------------------------------------
copyleft(c) by | Linux: Because a PC is a terrible thing to
Peter Allgeyer | _-_ waste. (By ***@craft.camp.clarkson.edu,
| 0(o_o)0 Mark Komarinski)
---------------oOO--(_)--OOo-----------------------------------------------