Am 12.02.2017 um 12:04 schrieb Michael Ströder: > [email protected] wrote: >> as discussed on the technical ML it's uncommon to put chain certificates in >> TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA >> like >> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to >> /TRUST/ that intermediate for a unrelated purpose. > > We should be more precise here - especially regarding the term "user". agree
> IMO it is common to put the whole CA cert chain in the cert configuration of > a TLS > server. This is required so that the TLS *client* only has to know the root > CA cert > (trust anchor) and the TLS server sends the intermediate certs. Note that > some TLS > implementations like GnuTLS require the CA cert chain to be "in order" > (bottom-up). As I don't use GnuTLS I can't tell something about it's internals > The real issue here is that TLSCACertificateFile and TLSCACertificatePath are > also used > to specify the set of trusted CA certs to validate TLS client certs used by > the TLS > client to authenticate. correct. That's also what "man 3 SSL_CTX_use_certificate" mention. > So I'm not sure whether your patch breaks the use-case of having more than > one trusted > root CA cert for validating TLS client certs issued by independent CAs. I may imagine a setup with RSA and EC certificates. Two certs are more complex then one. But if an admin decide to use diferent CAs it's his decision for more complexity > I think we might need different directives for trusted CA certs for client > cert > validation and the server cert chain (similar what's done on Apache mod_ssl > with > SSLCertificateChainFile and SSLCACertificateFile/SSLCACertificatePath). also: I don't us apache, can't tell if that way is is the best. Postfix,dovecot, nginx for example don't require a "SSLCertificateChainFile" directive. > It could be sufficient to simply add the server CA cert chain to > TLSCertificateFile and > only add the trusted root CA certs to > TLSCACertificateFile/TLSCACertificatePath (and no C > code patch needed for that, maybe review/clarification of the docs). that's what the patch try. currently I tried to add cert+chain to a file used as TLSCertificateFile The chain is ignored as expected and documented in "man 3 SSL_CTX_use_certificate_file" simply replacing SSL_CTX_use_certificate_file by SSL_CTX_use_certificate_chain_file fix that. I now can put cert+chain (excluding a root) ti the file used as TLSCertificateFile. as simple as it could be. But: I'm aware there are other use cases that will break stuff, years old. So my ITS it more intended to point out a problem then simply changing openldap to my needs. Andreas
