Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling

Tue, 04 Feb 2014 23:18:17 -0800 

On 04.02.2014 19:16, Falco Schwarz wrote:
> After playing around a bit more with this patch, I discovered that 
> OCSPStapling cannot get the issuer certificate if you use only the 
> SSLCertificateFile directive. It works if you specify 
> SSLCertificateChainFile, though.
> 
> Error only using SSLCertificateFile:
> 2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't 
> retrieve issuer certificate!
> 2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate 
> foo.bar:443:0 for stapling                                     

I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?

If so, it's actually a side effect of supporting per-certificate chains
with that future (not yet released) OpenSSL version.

There are two ways to address the issue: either in mod_ssl, or in
OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will
hopefully tell us... (Steve: in theory, modifying the behavior of
SSL_CTX_get_extra_chain_certs should be acceptable, given that only
SSL_CTX_get0_chain_certs is documented, what do you think?)

Falco, can you confirm that applying one of the attached patches solves
the problem for you?

Kaspar

Index: modules/ssl/ssl_util_stapling.c
===================================================================
--- modules/ssl/ssl_util_stapling.c     (revision 1564646)
+++ modules/ssl/ssl_util_stapling.c     (working copy)
@@ -84,7 +84,11 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mct
     STACK_OF(X509) *extra_certs = NULL;
 
 #ifdef OPENSSL_NO_SSL_INTERN
+#if defined(SSL_CTX_get0_chain_certs)
+    SSL_CTX_get0_chain_certs(mctx->ssl_ctx, &extra_certs);
+#else
     SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
+#endif
 #else
     extra_certs = mctx->ssl_ctx->extra_certs;
 #endif

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index bb1d508..38bf443 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3914,7 +3914,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void 
*parg)
                break;
 
        case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
-               *(STACK_OF(X509) **)parg =  ctx->extra_certs;
+               *(STACK_OF(X509) **)parg =  ctx->extra_certs ?
+                                           ctx->extra_certs :
+                                           ctx->cert->key->chain;
                break;
 
        case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:

Reply via email to