Re: TLS wishlist: Chained SSL certificates

Mon, 24 Feb 2014 15:44:26 -0800 

On Jan 31, 2014, at 9:14 AM, Reindl Harald <[email protected]> wrote:

> one thing would be fine too
> 
> * having a PEM file with Cert/Key/Intermediate-CA
> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
> 
> the valid usecase here is that the wildcard-cert we are using starting
> with 2014/01 is used for mail, http and whatnot - dovecot has no config
> for the CA file, so the PEM file contains already the full chain which
> looks like at the bottom
> 
> in case of different certs from different CA's used for different
> services this my make things less error-prone, not a big deal, only
> a wish if someone has the knowledge and is willing to implement it

I think that this should be straightforward. I even have a comment in the code 
saying that using a different OpenSSL API would make this work. Does this patch 
work?

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index ca1b82b..6311834 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -449,7 +449,7 @@ SSLInitServerContext(
   // also loads only the first certificate, but it allows the intermediate CA 
certificate chain to
   // be in the same file. SSL_CTX_use_certificate_chain_file() was added in 
OpenSSL 0.9.3.
   completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, 
serverCertPtr);
-  if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, 
SSL_FILETYPE_PEM)) {
+  if (!SSL_CTX_use_certificate_chain_file(ctx, completeServerCertPath)) {
     SSLError("failed to load certificate from %s", (const char 
*)completeServerCertPath);
     goto fail;
   }


> __________________________________________
> 
> http://wiki2.dovecot.org/SSL/DovecotConfiguration
> 
> Chained SSL certificates
> 
> Put all the certificates in the ssl_cert file. For example when using a 
> certificate
> signed by TDC the correct order is:
>    Dovecot's public certificate
>    TDC SSL Server CA
>    TDC Internet Root CA
>    Globalsign Partners CA
> __________________________________________
> 
> [root@proxy:~]$ cat /etc/pki/wildcard.pem
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN PRIVATE KEY-----
> ********************
> -----END PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
>

Reply via email to