On Thu, May 14, 2015 at 7:35 AM, Michal Lesniewski
<[email protected]> wrote:
> Hello,
>
> I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain
> certificate without no success.
>
> my httpd.conf:
>
> server "default" {
> listen on 10.11.0.200 tls port 443
>
> tls {
> certificate "/etc/ssl/server-unified.pem"
> key "/etc/ssl/private/server.key"
> }
>
I think this should be
tls certificate "/etc/ssl/server-unified.pem"
tls key "/etc/ssl/private/server.key"
> root "/htdocs/default"
> }
>
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
>
> My certificate is intermediate/chain certificate. That mean I need to supply
> "next level" certificate that is between my certificate and CA.
>
> I made that chain certificate concatenating PEM format files with
> corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption)
>
> cat server.pem sub.class2.server.ca.pem ca-sha2.pem >
> /etc/ssl/server-unified.pem
>
> server-unified.pem looks like:
>
> -----BEGIN CERTIFICATE-----
> (Primary SSL certificate: server.pem)
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Intermediate certificate: sub.class2.server.ca.pem)
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Root certificate: ca-sha2.pem)
> -----END CERTIFICATE-----
>
> Certificate and key installed in default locations:
>
> # ls -alh /etc/ssl/private/server.key
> -r-------- 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key
> # ls -alh /etc/ssl/server.pem
> -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem
> # ls -alh /etc/ssl/server-unified.pem
> -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem
>
>
> I try to test using openssl s_client:
>
> michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
> CONNECTED(00000003)
> GET / HTTP/1.0
>
>
>
> httpd log:
>
>
> # httpd -dvvvvvvvvvv
> startup
> server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
> server_tls_load_keypair: using private key /etc/ssl/private/server.key
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> server_privinit: adding server default
> server_privinit: adding server default
> socket_rlimit: max open files 1024
> server_launch: running server default
> server_launch: running server default
> server_launch: running server default
>
>> there is no "server_tls_init"
>> nothing apears when started openssl s_client command
>
>
> ^Clogger exiting, pid 20328
> server exiting, pid 17109
> server exiting, pid 6140
> server exiting, pid 16603
> parent terminating, pid 11859
>
>
> I tested combinations with unified certificate like:
>
> cat server.pem sub.class2.server.ca.pem > /etc/ssl/server-unified.pem
> cat ca-sha2.pem sub.class2.server.ca.pem server.pem >
> /etc/ssl/server-unified.pem
> cat sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem
>
> but situation is always as described above.
>
>
> When I try to change in config file "tls certificate" to:
>
> tls certificate "/etc/ssl/server.pem"
>
> where server.pem is PEM format file certificate from my CA (there is no
> entire SSL certificate trust chain) and start httpd:
>
> # httpd -dvvvvvvvvvv
> startup
> server_tls_load_keypair: using certificate /etc/ssl/server.pem
> server_tls_load_keypair: using private key /etc/ssl/private/server.key
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> server_privinit: adding server default
> server_privinit: adding server default
> socket_rlimit: max open files 1024
> server_launch: running server default
> server_launch: running server default
> server_tls_init: setting up TLS for default
> server_launch: running server default
> server_tls_init: setting up TLS for default
> server_tls_init: setting up TLS for default
> server_launch: running server default
> server_launch: running server default
> server_launch: running server default
> default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] "GET / HTTP/1.0" 200 7
> server default, client 1 (1 active), 10.11.0.100:52805 -> 10.11.0.200:443,
> done
> ^Clogger exiting, pid 5930
> server exiting, pid 19884
> server exiting, pid 26372
> server exiting, pid 14384
> parent terminating, pid 22451
>
>
> I try to test using openssl s_client like before:
>
> michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
> CONNECTED(00000003)
> depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
> emailAddress = XXX
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
> emailAddress = XXX
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
> emailAddress = XXX
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
> i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
> Class 2 Primary Intermediate Server CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> (Primary SSL certificate: server.pem)
> -----END CERTIFICATE-----
> subject=/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
> issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 2 Primary Intermediate Server CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4020 bytes and written 511 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 8192 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 763361AC6825A838E0FE8782F8FE20DF048536FECC20530E16003132C5BEDB66
> Session-ID-ctx:
> Master-Key:
> 39DCA8F06FE62896A75D1D4B8C961D5FB4E5B50238A59C7AB21DB33C63723AFF0C93D099064D37419FD385B7EEC1573C
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - aa 00 6c 87 f7 97 38 fa-ee 44 db 0f 35 44 eb b6 ..l...8..D..5D..
> 0010 - d6 51 6d bb 20 5a b4 d1-9d 09 59 69 4b a8 84 dd .Qm.
> Z....YiK...
> 0020 - fb 0b 56 ca 16 be 77 ed-f5 14 85 69 f8 f1 a2 a2 ..V...w....i....
> 0030 - 93 d3 a0 85 46 d4 f5 1e-75 40 26 ad aa 1e fc 4d ....F...u@&....M
> 0040 - 55 78 bc 1b cb fc 27 64-f1 12 82 e1 02 49 d7 61 Ux....'d.....I.a
> 0050 - 12 9d 13 9a d5 b8 97 84-e3 ed 09 96 ba e5 1c 14 ................
> 0060 - dd 6f 84 d7 ee 71 5c 07-4c cc c8 3a 33 f1 c4 c4 .o...q\.L..:3...
> 0070 - ae fe ba bc 9d d5 86 a2-11 04 fd ec 2f ff 55 89 ............/.U.
> 0080 - b6 c2 97 5d a1 53 34 07-c5 2c 51 12 8a 7a 84 1f ...].S4..,Q..z..
> 0090 - 2e 4c 83 54 e9 a0 f4 ab-6c bf 6a 75 f4 96 5e 8c .L.T....l.ju..^.
> 00a0 - da 3f 47 b7 d9 87 f7 0d-39 54 e6 90 11 ac a8 e3 .?G.....9T......
> 00b0 - c1 39 b7 4a b9 5c 64 71-dc 83 99 d2 c9 07 cf eb .9.J.\dq........
>
> Start Time: 1431605259
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> GET / HTTP/1.0
>
> HTTP/1.0 200 OK
> Connection: close
> Content-Length: 7
> Content-Type: text/html
> Date: Thu, 14 May 2015 12:07:50 GMT
> Last-Modified: Wed, 13 May 2015 17:29:26 GMT
> Server: OpenBSD httpd
>
> devcat
> read:errno=0
>
>
> Unfortunately I did not find answer in mailing list / google.
>
> BTW. I have same situation with httpd in OpenBSD 5.6 stable (there is only
> change in config file ssl [5.6] --> tls [5.7]).
>
> Any ideas on what I'm doing wrong? How to start TLS server with
> chain/intermediate certificate? Thanks for your help!
>
> Best Regards,
> Michal Lesniewski
>
I also use starttls chain/inttermediate without issues in httpd
regards
