Sailesh Mukil has posted comments on this change. ( http://gerrit.cloudera.org:8080/9934 )
Change subject: KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails ...................................................................... Patch Set 2: (2 comments) Thanks for the review Dan! http://gerrit.cloudera.org:8080/#/c/9934/1/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: http://gerrit.cloudera.org:8080/#/c/9934/1/src/kudu/security/tls_context.cc@197 PS1, Line 197: cert.GetRawData()), "could not init X509_STORE_CTX"); > I pretty much completely paged these APIs out so I started looking through Good point. The man page was pretty ambiguous about that. The reason I did it the first way was because of this para from the man page: "X509_STORE_CTX_init() sets up ctx for a subsequent verification operation. It must be called before each call to X509_verify_cert(), i.e. a ctx is only good for one call to X509_verify_cert(); if you want to verify a second certificate with the same ctx then you must call X509_STORE_CTX_cleanup() and then X509_STORE_CTX_init() again before the second call to X509_verify_cert(). The trusted certificate store is set to store, the end entity certificate to be verified is set to x509 and a set of additional certificates (which will be untrusted but may be used to build the chain) in chain. Any or all of the store, x509 and chain parameters can be NULL." https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html But I'm guessing it probably means to do that one by one for certs that are not part of a single chain. I also looked at this tutorial to make sure that this is the right way to do it: https://zakird.com/2013/10/13/certificate-parsing-with-openssl I'll make that change. http://gerrit.cloudera.org:8080/#/c/9934/1/src/kudu/security/tls_context.cc@201 PS1, Line 201: if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { > add braces around if block here and below. I removed this code now. -- To view, visit http://gerrit.cloudera.org:8080/9934 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4 Gerrit-Change-Number: 9934 Gerrit-PatchSet: 2 Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Lars Volker <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-Comment-Date: Thu, 05 Apr 2018 21:24:24 +0000 Gerrit-HasComments: Yes
