You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2010/11/02 18:18:27 UTC

[jira] Resolved: (TS-494) SSL over ATS sending partial certificate chain

     [ https://issues.apache.org/jira/browse/TS-494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom resolved TS-494.
------------------------------

    Resolution: Fixed

> SSL over ATS sending partial certificate chain 
> -----------------------------------------------
>
>                 Key: TS-494
>                 URL: https://issues.apache.org/jira/browse/TS-494
>             Project: Traffic Server
>          Issue Type: Bug
>    Affects Versions: 2.1.3
>            Reporter: vijaya bhaskar mamidi
>             Fix For: 2.1.4
>
>
> ATS is sending only the first certificate block from the file configured under the "proxy.config.ssl.server.cert_chain.filename" setting in records.config.
> Code in SSLNet.cc
> int
> SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
> {
>   BIO *in;
>   int j;
>   int ret = 0;
>   X509 *x = NULL;
>   in = BIO_new(BIO_s_file_internal());
>   if (in == NULL) {
>     SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
>     goto end;
>   }
>   if (BIO_read_filename(in, file) <= 0) {
>     SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
>     goto end;
>   }
>   j = ERR_R_PEM_LIB;
>   x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
>   if (x == NULL) {
>     SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
>     goto end;
>   }
>   ret = SSL_CTX_add_extra_chain_cert(ctx, x);
> end:
>   //  if (x != NULL) X509_free(x);
>   if (in != NULL)
>     BIO_free(in);
>   return (ret);
> }
> should loop across  all the cert and the code should be:
>  while ((x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) {
> 	ret = SSL_CTX_add_extra_chain_cert(ctx, x);
>         if (!ret) {
>         X509_free(x);
>         BIO_free(in);
>        return -1;
>       }
>    } 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.