Repository: trafficserver Updated Branches: refs/heads/master cdd1d15b4 -> d23c0a28d
Change certs loading procedure to support loading multiple leaf certs Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/3f1d7c30 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/3f1d7c30 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/3f1d7c30 Branch: refs/heads/master Commit: 3f1d7c30fd21ed3fa48c546ee56c2117bd8d2ce1 Parents: 1e1ca9d Author: sunwei <[email protected]> Authored: Tue Oct 14 12:33:18 2014 +0000 Committer: sunwei <[email protected]> Committed: Tue Oct 14 12:33:18 2014 +0000 ---------------------------------------------------------------------- doc/reference/configuration/ssl_multicert.config.en.rst | 3 +++ iocore/net/SSLUtils.cc | 12 +----------- 2 files changed, 4 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3f1d7c30/doc/reference/configuration/ssl_multicert.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/ssl_multicert.config.en.rst b/doc/reference/configuration/ssl_multicert.config.en.rst index 8bdeeb8..8ee98e1 100644 --- a/doc/reference/configuration/ssl_multicert.config.en.rst +++ b/doc/reference/configuration/ssl_multicert.config.en.rst @@ -65,6 +65,9 @@ ssl_cert_name=FILENAME[,FILENAME ...] subjects and alternate names. The first certificate is used to to match the client's SNI request. + You can also configure multiple leaf certificates in a same chain + with OpenSSL 1.0.1. + This is the only field that is required to be present. dest_ip=ADDRESS (optional) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3f1d7c30/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 85b385a..3f52273 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1141,7 +1141,7 @@ SSLInitServerContext( SSL_CTX_set_default_passwd_cb_userdata(ctx, &ud); } - if (!params->serverCertChainFilename && !sslMultCertSettings.ca && sslMultCertSettings.cert) { + if (sslMultCertSettings.cert) { SimpleTokenizer cert_tok((const char *)sslMultCertSettings.cert, SSL_CERT_SEPARATE_DELIM); SimpleTokenizer key_tok((sslMultCertSettings.key ? (const char *)sslMultCertSettings.key : ""), SSL_CERT_SEPARATE_DELIM); @@ -1162,12 +1162,6 @@ SSLInitServerContext( goto fail; } } - } else if (sslMultCertSettings.first_cert) { // For backward compatible - completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, sslMultCertSettings.first_cert); - if (!SSL_CTX_use_certificate_chain_file(ctx, completeServerCertPath)) { - SSLError("failed to load certificate from %s", (const char *) completeServerCertPath); - goto fail; - } // First, load any CA chains from the global chain file. if (params->serverCertChainFilename) { @@ -1186,10 +1180,6 @@ SSLInitServerContext( goto fail; } } - - if (!SSLPrivateKeyHandler(ctx, params, completeServerCertPath, sslMultCertSettings.key)) { - goto fail; - } } // SSL_CTX_load_verify_locations() builds the cert chain from the
