Re: httpd: certificate files with prepended intermediates

2016-09-13 Thread Otto Moerbeek 
On Tue, Sep 13, 2016 at 03:57:33AM -0400, Ian Sutton wrote:

> On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote:
> > Did you try to /append/ the intermediate certificate(s) to the server
> > certificate?  That worked for me on OpenBSD 6.0's httpd.
> 
> Yes.
> 
> Uncanny timing on your mail -- I just got it to work. httpd(8) needs the
> intermediate certificate to be at the *bottom* of the combined
> certificate, the opposite of what I'm used to.

Both nginx and apache do it like that...

-Otto
> 
> To clarify for future readers: if you want to provide an intermediate
> certificate with OpenBSD httpd, your /etc/ssl/server.crt files should
> look like this:
> 
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
> -BEGIN CERTIFICATE-
> 
> -END CERTIFICATE-
> 
> 
> > An explanation might be the documentation to the
> > SSL_CTX_use_certificate_chain_XXX functions used:
> > 
> >  The SSL_CTX_use_certificate_chain*() functions load a certificate
> >  chain into ctx.  The certificates must be in PEM format and must
> >  be sorted starting with the subject's certificate (actual client
> >  or server certificate), followed by intermediate CA certificates
> >  if applicable, and ending at the highest level (root) CA.  There
> >  is no corresponding function working on a single SSL object.
> 
> I (myopically) missed this.
> 
> > Best regards
> > Robert

Re: httpd: certificate files with prepended intermediates

2016-09-13 Thread Robert Klein 
On Tue, 13 Sep 2016 03:15:18 -0400
Ian Sutton  wrote:

> On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote:
> > See, here's where you're taking a wrong turn that I should have
> > caught earlier: your first post should answer this question:
> >  What problem are you trying to solve?
> > 
> > httpd may be able to do what you want *already*, but since you
> > haven't actually *told anyone* what you're trying to do, no one can
> > help you and say "oh yeah, that already works as documented in
> > "
> 
> Since my certificate isn't provided by a root CA, any clients would
> have to verify both my cert AND the certificates of the intermediate
> authorities between me and the root CA. I can provide this certificate
> stapled along with my own cert to save the client the trouble of
> fetching it, which Qualys informs me is "good practice".


Did you try to /append/ the intermediate certificate(s) to the server
certificate?  That worked for me on OpenBSD 6.0's httpd.

An explanation might be the documentation to the
SSL_CTX_use_certificate_chain_XXX functions used:

 The SSL_CTX_use_certificate_chain*() functions load a certificate
 chain into ctx.  The certificates must be in PEM format and must
 be sorted starting with the subject's certificate (actual client
 or server certificate), followed by intermediate CA certificates
 if applicable, and ending at the highest level (root) CA.  There
 is no corresponding function working on a single SSL object.

Best regards
Robert

Re: httpd: certificate files with prepended intermediates

2016-09-13 Thread Ian Sutton 
On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote:
> Did you try to /append/ the intermediate certificate(s) to the server
> certificate?  That worked for me on OpenBSD 6.0's httpd.

Yes.

Uncanny timing on your mail -- I just got it to work. httpd(8) needs the
intermediate certificate to be at the *bottom* of the combined
certificate, the opposite of what I'm used to.

To clarify for future readers: if you want to provide an intermediate
certificate with OpenBSD httpd, your /etc/ssl/server.crt files should
look like this:

-BEGIN CERTIFICATE-

-END CERTIFICATE-
-BEGIN CERTIFICATE-

-END CERTIFICATE-


> An explanation might be the documentation to the
> SSL_CTX_use_certificate_chain_XXX functions used:
> 
>  The SSL_CTX_use_certificate_chain*() functions load a certificate
>  chain into ctx.  The certificates must be in PEM format and must
>  be sorted starting with the subject's certificate (actual client
>  or server certificate), followed by intermediate CA certificates
>  if applicable, and ending at the highest level (root) CA.  There
>  is no corresponding function working on a single SSL object.

I (myopically) missed this.

> Best regards
> Robert

Re: httpd: certificate files with prepended intermediates

2016-09-13 Thread Ian Sutton 
On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote:
> See, here's where you're taking a wrong turn that I should have caught
> earlier: your first post should answer this question:
>  What problem are you trying to solve?
> 
> httpd may be able to do what you want *already*, but since you haven't
> actually *told anyone* what you're trying to do, no one can help you
> and say "oh yeah, that already works as documented in "

Since my certificate isn't provided by a root CA, any clients would have
to verify both my cert AND the certificates of the intermediate
authorities between me and the root CA. I can provide this certificate
stapled along with my own cert to save the client the trouble of
fetching it, which Qualys informs me is "good practice".

> Or maybe: "oh yeah, that can be done, but isn't documented because it
> seemed clunky.  Use this configuration, and I'm fixing the docs".
> 
> Or maybe: "oh yeah, that would be useful.  I was thinking it should be
> done like  but if you implement it send me the diff."

If this is the case, I would like to know so I could try and implement
it myself and atone for my apparant sins.

> I suspect it's the middle case..but I'm not reyk@ and don't normally
> work on httpd...
> 
> 
> ...and I don't know why you took this thread off-list.  This seems
> like a discussion that would be useful to others.

Forgot to cc the list ;)

Re: httpd: certificate files with prepended intermediates

2016-09-13 Thread Philip Guenther 
On Mon, Sep 12, 2016 at 11:16 PM, Ian Sutton  wrote:
> httpd currently fails to serve over TLS if the certificate file
> specified in httpd.conf contains an intermediate certificate ahead of
> the site's certificate. httpd still starts with no error indication
> (with rcctl) but `httpd -d` shows:

Hmm.  What wording of the documentation suggested that multiple
certificates should or *could* be place in that file?  The manpage
says
 certificate file
 Specify the certificate to use for this server.  The file
 should contain a PEM encoded certificate.  The default is
 /etc/ssl/server.crt.

It doesn't say how it behaves if there are multiple certificates in
the file, so why do you think the current behavior is wrong?  More
precisely, since it *doesn't* say *which* cert in the file it would
use when there are multiple, it may use any of them.  If the one it
chose didn't match the key that you provided the yeah, it'll fail.
So, as the old joke goes, "don't do that!"

Having looked at the source, I *think* I know which it'll use as the
server cert, and what it'll do with other certs in file, but
a) I haven't tested it and
b) more importantly, reyk@ hasn't documented a behavior and thereby
decided it's supported, in some sense.


Philip Guenther

httpd: certificate files with prepended intermediates

2016-09-13 Thread Ian Sutton 
httpd currently fails to serve over TLS if the certificate file
specified in httpd.conf contains an intermediate certificate ahead of
the site's certificate. httpd still starts with no error indication
(with rcctl) but `httpd -d` shows:

server_tls_init: failed to configure tls - failed to load private key

I think this may be due to a fingerprint mismatch between the
pub/private key on the server and the first cert found in the certfile
(the intermediate in my case).

No error is reported in error.log, and if this failure is indeed
intended functionality, perhaps we should log an error as I imagine a
lot of people will run into this.

I'm getting this problem on the server at https://ce.gl with the
compound certfile pasted below. I'm running the latest snapshot as of
this mail.

-BEGIN CERTIFICATE-
MIIEtTCCA52gAwIBAgIQSOmUQNQ2SRy4uII9CUOUxzANBgkqhkiG9w0BAQsFADCB
mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSAtIEczMB4XDTE0MDYxMDAwMDAwMFoXDTI0MDYwOTIzNTk1OVowRzELMAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlk
U1NMIFNIQTI1NiBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAxJVjKNBOMEWvi5c0FEX4XFhK+jOObpxgq/OG/zR0siu+oYzVoqNgekC54fwi
yme6YKrHmvkGf+73uoUFsAP/cq4VQUqYZNcXS1TvBcaYB5MnPk/cD8Z7i+fzBl6N
6LSuKbQeHi0WkNPqqueMO22vNln/xQr6x0y9NotkxEr1zjP5B75/RZCoCBSw0KVP
34KA2hvuwxOwmPUP+X52tea5XWi5XFCQiaQ2sXAW6rEQtWp23+G7/HjycpnPyaLU
c1R3v8A5d+WuEsV4WhlF1EEZ03z1b5lr14u8LQmdSxBhwNpSw68iQ8brN35jdDAN
anGO3l1bisjF15sp6K62JWGB6wIDAQABo4IBSTCCAUUwLgYIKwYBBQUHAQEEIjAg
MB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wEgYDVR0TAQH/BAgwBgEB
/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0
cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA2BgNVHR8ELzAtMCug
KaAnhiVodHRwOi8vZy5zeW1jYi5jb20vR2VvVHJ1c3RQQ0EtRzMuY3JsMA4GA1Ud
DwEB/wQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0kt
MS02OTcwHQYDVR0OBBYEFEz0v+g7vsIk8xtHO7VuSI4Wq68SMB8GA1UdIwQYMBaA
FMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQB6U7Xetu9S
o1+K9YnxQsxeRoiupQiHUd4PDwLrDIJ443N9cb1D6cqKP+AlkpszM3RJXgDZcxQc
C0Z2HIoNTYxsfkv3YNiBeKB40CViqxDKIugcGd1Sg2QF5Ydmrud6pDs+2HB6dqJn
OdTJ+uW3HkHiCTmIHBhVCsRBr7Lz8w9CFGF0gePah1qaTYvTyY+JZhMpEeT/4t+O
lgxaoaprm/38AztVDaaiJUgXH0Ko2mx+aW6g32fSbfQOahJ59XzIpTIcxDGy5ruo
a2qiimBpwFd9svIxDJhlMuwIWs7GmOkhlz8seSkD9faUK1Mx85NoV+HXTzrRYaFg
zrmrmK41VGOL
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIHSzCCBjOgAwIBAgIQW67ZVzRyTffPhd2TF72dcTANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDgxOTAwMDAwMFoXDTE5MDgxOTIzNTk1
OVowEDEOMAwGA1UEAwwFY2UuZ2wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC9DlvOyoljoevhSYkW7F0IctgaS2mFln0shcuKwF4Lp2U0bWygE9FuxZZe
fEDGlQv+6SPchoyHJxtMNB4zZ53exud+aXWfXyP85J7f2dvuzxlpiqKSU8TV1dKv
hzrPP9tKN5BAjfNjKtzSkPQbBb313BR+sIGj4pVRZlce25y6v4d1tXRbDN+lNf94
6DlMLMwAejwW8BT7HhgjN2y/kotrZc6dh/jAScbUCs+sW14bVX6z0H01mWomtnn1
7CmNnIGqzVF4ZYVeJwa7hKRnkPh3uZbV1eZLGME6qYyIw6Ip77GxP2Cq4UDrO6Cl
ZcS0IyUfNo6bUwVKDUdCE5RxvCXoO1dD5Tnp7NEjntXv+bLxnYTCTWyStE6Lunn3
dgaUjAgrCMFX5EmlvKusVa/LjSibvgdWlJSV4LN+WpGuvcGWWIh/NLs1MdGxgQ8J
JJPUD/JTOBwofvs0x9/JrQH0bHKri72kWtCj0Ldtt4z25J/w5YcVkyNsYGykzccu
0lnz7jVWJMCpVOP0mcuu3tElsK9NtEtFmpItPeSoneq7Fuer7fIFr0vl7Um3RsHi
RmWdRE1o/+9YeC3mLmCZAdX+Vr9tUYZs/HZA7YxtPh4ulCqqq4VF9mPkEN22ugAG
A2W4aSoV7eTn9VauYtszncw0ga2huYAHWn+DfUbKfE0xywezDwIDAQABo4IDbTCC
A2kwGwYDVR0RBBQwEoIFY2UuZ2yCCXd3dy5jZS5nbDAJBgNVHRMEAjAAMCsGA1Ud
HwQkMCIwIKAeoByGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3JsMG8GA1UdIARo
MGYwZAYGZ4EMAQIBMFowKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlkc3Ns
LmNvbS9sZWdhbDAsBggrBgEFBQcCAjAgDB5odHRwczovL3d3dy5yYXBpZHNzbC5j
b20vbGVnYWwwHwYDVR0jBBgwFoAUl8InUJ7CyewMiDLIfK3ipgFP2m8wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEF
BQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ncC5zeW1jZC5jb20wJgYIKwYB
BQUHMAKGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3J0MIIB9gYKKwYBBAHWeQIE
AgSCAeYEggHiAeAAdQDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAA
AVag+RhOAAAEAwBGMEQCIFiBRHgUzAy64XjT5bpJHwktFi48C7KiXukD/Grc0YSQ
AiBN+6wQkrsiJ6Y+dvsAW3uNIr55ukslWvpWyXBealLmpAB3AKS5CZC0GFgUh7sT
osxncAo8NZgE+RvfuON3zQ7IDdwQAAABVqD5Gg0AAAQDAEgwRgIhAKrbjgn2rp4Z
A9xsflPrPdc//Lo8EVKgK7NhY01qrH8nAiEA5/xngKESqWXbUAjtAKr/rp7Gx67H
9l7zxskMqSSjYSkAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAA
AVag+RoYAAAEAwBHMEUCIQCI5YuEx9Ncp3XRuvG86YjHuJt3owGb7objrT406HqA
GgIgKD+/uXZrvGCeUO6WWMQ11JqXVaMKa5x564U1UHDDgboAdgDuS723dc5guuFC
aR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVag+RznAAAEAwBHMEUCIQDQJEPmjKq9
xrYN8DK5N9v20GBt1Ew5qEa/KbFImShG+QIgGmLKCwOYRPbJ96Cyn6p3VRGBrOLy
xPYFypeaPd2iE5wwDQYJKoZIhvcNAQELBQADggEBAIv9q86HrAvTl1EcjZRMWJPc
es7HP91xh6Dk3J/jTtvd7FRNo33lv2jwW+7C0UaZBY5hREdfw7pysXehwXFv4hlE
+eHS5PkSRep/xIFw656JTceP8BDBwkWnaq6A9Gj9zHpis6c/CcV/99JZWDsdbdOY
qJnjm+LviYeSIdDZSDX5U8b8EZNTxuRvrNaUBWHLQ7UIlE1txAqkBZlJkolpe3Ca
tGQ9g2iOExUWqseKfWW/8DjA3yGr6Nz3aNjc+E7mRCN0TMZ6/OfTGdW7FgDKtFA1