On 14.05.2015 14:43, Abel Abraham Camarillo Ojeda wrote:
On Thu, May 14, 2015 at 7:35 AM, Michal Lesniewski
<[email protected]> wrote:
Hello,
I'm trying to configure OpenBSD 5.7 httpd with tls with intermediate/chain
certificate without no success.
my httpd.conf:
server "default" {
listen on 10.11.0.200 tls port 443
tls {
certificate "/etc/ssl/server-unified.pem"
key "/etc/ssl/private/server.key"
}
I think this should be
tls certificate "/etc/ssl/server-unified.pem"
tls key "/etc/ssl/private/server.key"
the same situation
root "/htdocs/default"
}
types {
include "/usr/share/misc/mime.types"
}
My certificate is intermediate/chain certificate. That mean I need to supply
"next level" certificate that is between my certificate and CA.
I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption)
cat server.pem sub.class2.server.ca.pem ca-sha2.pem >
/etc/ssl/server-unified.pem
server-unified.pem looks like:
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate: sub.class2.server.ca.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate: ca-sha2.pem)
-----END CERTIFICATE-----
Certificate and key installed in default locations:
# ls -alh /etc/ssl/private/server.key
-r-------- 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem
I try to test using openssl s_client:
michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(00000003)
GET / HTTP/1.0
httpd log:
# httpd -dvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default
there is no "server_tls_init"
nothing apears when started openssl s_client command
^Clogger exiting, pid 20328
server exiting, pid 17109
server exiting, pid 6140
server exiting, pid 16603
parent terminating, pid 11859
I tested combinations with unified certificate like:
cat server.pem sub.class2.server.ca.pem > /etc/ssl/server-unified.pem
cat ca-sha2.pem sub.class2.server.ca.pem server.pem >
/etc/ssl/server-unified.pem
cat sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem
but situation is always as described above.
When I try to change in config file "tls certificate" to:
tls certificate "/etc/ssl/server.pem"
where server.pem is PEM format file certificate from my CA (there is no
entire SSL certificate trust chain) and start httpd:
# httpd -dvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_tls_init: setting up TLS for default
server_launch: running server default
server_tls_init: setting up TLS for default
server_tls_init: setting up TLS for default
server_launch: running server default
server_launch: running server default
server_launch: running server default
default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] "GET / HTTP/1.0" 200 7
server default, client 1 (1 active), 10.11.0.100:52805 -> 10.11.0.200:443,
done
^Clogger exiting, pid 5930
server exiting, pid 19884
server exiting, pid 26372
server exiting, pid 14384
parent terminating, pid 22451
I try to test using openssl s_client like before:
michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(00000003)
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom
Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
subject=/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4020 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 8192 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
763361AC6825A838E0FE8782F8FE20DF048536FECC20530E16003132C5BEDB66
Session-ID-ctx:
Master-Key:
39DCA8F06FE62896A75D1D4B8C961D5FB4E5B50238A59C7AB21DB33C63723AFF0C93D099064D37419FD385B7EEC1573C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - aa 00 6c 87 f7 97 38 fa-ee 44 db 0f 35 44 eb b6 ..l...8..D..5D..
0010 - d6 51 6d bb 20 5a b4 d1-9d 09 59 69 4b a8 84 dd .Qm.
Z....YiK...
0020 - fb 0b 56 ca 16 be 77 ed-f5 14 85 69 f8 f1 a2 a2 ..V...w....i....
0030 - 93 d3 a0 85 46 d4 f5 1e-75 40 26 ad aa 1e fc 4d ....F...u@&....M
0040 - 55 78 bc 1b cb fc 27 64-f1 12 82 e1 02 49 d7 61 Ux....'d.....I.a
0050 - 12 9d 13 9a d5 b8 97 84-e3 ed 09 96 ba e5 1c 14 ................
0060 - dd 6f 84 d7 ee 71 5c 07-4c cc c8 3a 33 f1 c4 c4 .o...q\.L..:3...
0070 - ae fe ba bc 9d d5 86 a2-11 04 fd ec 2f ff 55 89 ............/.U.
0080 - b6 c2 97 5d a1 53 34 07-c5 2c 51 12 8a 7a 84 1f ...].S4..,Q..z..
0090 - 2e 4c 83 54 e9 a0 f4 ab-6c bf 6a 75 f4 96 5e 8c .L.T....l.ju..^.
00a0 - da 3f 47 b7 d9 87 f7 0d-39 54 e6 90 11 ac a8 e3 .?G.....9T......
00b0 - c1 39 b7 4a b9 5c 64 71-dc 83 99 d2 c9 07 cf eb .9.J.\dq........
Start Time: 1431605259
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
HTTP/1.0 200 OK
Connection: close
Content-Length: 7
Content-Type: text/html
Date: Thu, 14 May 2015 12:07:50 GMT
Last-Modified: Wed, 13 May 2015 17:29:26 GMT
Server: OpenBSD httpd
devcat
read:errno=0
Unfortunately I did not find answer in mailing list / google.
BTW. I have same situation with httpd in OpenBSD 5.6 stable (there is only
change in config file ssl [5.6] --> tls [5.7]).
Any ideas on what I'm doing wrong? How to start TLS server with
chain/intermediate certificate? Thanks for your help!
Best Regards,
Michal Lesniewski
I also use starttls chain/inttermediate without issues in httpd
how do you concatenate certificates for server-chain.pem?
all of them (sercer cert, intermediate and ca) or only server cert and
intermediate?
what order (server, intermediate, ca or ca, intermediate, server)?
what size of public key do you have?
My server public-key is 8192 bit. Maybe this is problem?
Best Regards,
Michal Lesniewski
