#3064: Deluge Web TLS not working with certificate chains
--------------------+--------------------
Reporter: Jay-C | Owner:
Type: bug | Status: new
Priority: major | Milestone: 1.3.16
Component: Web UI | Version: 1.3.15
Keywords: |
--------------------+--------------------
Hi!
I'm going to try to keep this short. I'm trying to add a certificate chain
to the deluge web UI, the subject certificate concatenated with a
intermediate certificate, as is standard. I've successfully verified the
separate files using the ``openssl verify" utility.
{{{
$ openssl verify -verbose -CAfile root.cert.pem -untrusted
intermediate.cert.pem deluge.cert.pem
deluge.cert.pem: OK
}}}
However, Firefox gives me an SEC_ERROR_UNKNOWN_ISSUER error. To look at
what the server sends my I use:
{{{
openssl s_client -CAfile root.cert.pem -connect localhost:8112 -showcerts
}}}
Indeed, the output shows the server does not send the intermediate
certificate. It seems the deluge web server only sends the first
certificate, and skips the rest of the chain. As this has worked
correctly in the past, I looked at the git history and the culprit seems
to be commit c1902e43, which replaces the code for loading the
certificate, specifically
{{{
certificate = Certificate.loadPEM(cert.read()).original[/code]
instead of
[code]ctx.use_certificate_chain_file(configmanager.get_config_dir(delugeweb.cert))
}}}
As far as I can tell this is an incorrect way to read chain files. Look at
the example at https://pem.readthedocs.io/en/stable/twisted.html for
guidance.
I would fix this myself but I'm sure you that have greater experience with
the code can do it much quicker and efficiently.
--
Ticket URL: <http://dev.deluge-torrent.org/ticket/3064>
Deluge <http://deluge-torrent.org/>
Deluge Project
--
You received this message because you are subscribed to the Google Groups
"Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.
