You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Reindl Harald <h....@thelounge.net> on 2014/01/31 18:14:07 UTC
TLS wishlist: Chained SSL certificates
one thing would be fine too
* having a PEM file with Cert/Key/Intermediate-CA
* in that case no need for "ssl_ca_name" in "ssl_multicert.config"
the valid usecase here is that the wildcard-cert we are using starting
with 2014/01 is used for mail, http and whatnot - dovecot has no config
for the CA file, so the PEM file contains already the full chain which
looks like at the bottom
in case of different certs from different CA's used for different
services this my make things less error-prone, not a big deal, only
a wish if someone has the knowledge and is willing to implement it
__________________________________________
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Chained SSL certificates
Put all the certificates in the ssl_cert file. For example when using a certificate
signed by TDC the correct order is:
Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA
__________________________________________
[root@proxy:~]$ cat /etc/pki/wildcard.pem
-----BEGIN CERTIFICATE-----
********************
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
********************
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
********************
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
********************
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
********************
-----END CERTIFICATE-----
Re: TLS wishlist: Chained SSL certificates
Posted by James Peach <jp...@apache.org>.
On Feb 24, 2014, at 3:50 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 25.02.2014 00:42, schrieb James Peach:
>> On Jan 31, 2014, at 9:14 AM, Reindl Harald <h....@thelounge.net> wrote:
>>
>>> one thing would be fine too
>>>
>>> * having a PEM file with Cert/Key/Intermediate-CA
>>> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
>>>
>>> the valid usecase here is that the wildcard-cert we are using starting
>>> with 2014/01 is used for mail, http and whatnot - dovecot has no config
>>> for the CA file, so the PEM file contains already the full chain which
>>> looks like at the bottom
>>>
>>> in case of different certs from different CA's used for different
>>> services this my make things less error-prone, not a big deal, only
>>> a wish if someone has the knowledge and is willing to implement it
>>
>> I think that this should be straightforward. I even have a comment in the code saying that using a different OpenSSL API would make this work. Does this patch work?
>
> thanks for feedback, sadly i am out of test environments for that because
> the testservers are all using self-signed certificates with no CA
>
> for the moment i can apply that to 4.2.0 RC0 and verify normal TLS
> operations and as soon 4.20 is out test it on the production machine
> which for now only has one more or less testing domain for TLS
https://issues.apache.org/jira/browse/TS-2649
This is fixed for the 5.1 release.
J
Re: TLS wishlist: Chained SSL certificates
Posted by Reindl Harald <h....@thelounge.net>.
Am 25.02.2014 00:42, schrieb James Peach:
> On Jan 31, 2014, at 9:14 AM, Reindl Harald <h....@thelounge.net> wrote:
>
>> one thing would be fine too
>>
>> * having a PEM file with Cert/Key/Intermediate-CA
>> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
>>
>> the valid usecase here is that the wildcard-cert we are using starting
>> with 2014/01 is used for mail, http and whatnot - dovecot has no config
>> for the CA file, so the PEM file contains already the full chain which
>> looks like at the bottom
>>
>> in case of different certs from different CA's used for different
>> services this my make things less error-prone, not a big deal, only
>> a wish if someone has the knowledge and is willing to implement it
>
> I think that this should be straightforward. I even have a comment in the code saying that using a different OpenSSL API would make this work. Does this patch work?
thanks for feedback, sadly i am out of test environments for that because
the testservers are all using self-signed certificates with no CA
for the moment i can apply that to 4.2.0 RC0 and verify normal TLS
operations and as soon 4.20 is out test it on the production machine
which for now only has one more or less testing domain for TLS
i should not copy the 3 years valid wildcard cert to test-VM's :-)
unified diff as attachment would be appreciated for rpmbuild
c&p likely damages patchfiles
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index ca1b82b..6311834 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -449,7 +449,7 @@ SSLInitServerContext(
> // also loads only the first certificate, but it allows the intermediate CA certificate chain to
> // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
> completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
> - if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
> + if (!SSL_CTX_use_certificate_chain_file(ctx, completeServerCertPath)) {
> SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
> goto fail;
> }
>
>
>> __________________________________________
>>
>> http://wiki2.dovecot.org/SSL/DovecotConfiguration
>>
>> Chained SSL certificates
>>
>> Put all the certificates in the ssl_cert file. For example when using a certificate
>> signed by TDC the correct order is:
>> Dovecot's public certificate
>> TDC SSL Server CA
>> TDC Internet Root CA
>> Globalsign Partners CA
>> __________________________________________
>>
>> [root@proxy:~]$ cat /etc/pki/wildcard.pem
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN PRIVATE KEY-----
>> ********************
>> -----END PRIVATE KEY-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> ********************
>> -----END CERTIFICATE-----
Re: TLS wishlist: Chained SSL certificates
Posted by James Peach <jp...@apache.org>.
On Jan 31, 2014, at 9:14 AM, Reindl Harald <h....@thelounge.net> wrote:
> one thing would be fine too
>
> * having a PEM file with Cert/Key/Intermediate-CA
> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
>
> the valid usecase here is that the wildcard-cert we are using starting
> with 2014/01 is used for mail, http and whatnot - dovecot has no config
> for the CA file, so the PEM file contains already the full chain which
> looks like at the bottom
>
> in case of different certs from different CA's used for different
> services this my make things less error-prone, not a big deal, only
> a wish if someone has the knowledge and is willing to implement it
I think that this should be straightforward. I even have a comment in the code saying that using a different OpenSSL API would make this work. Does this patch work?
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index ca1b82b..6311834 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -449,7 +449,7 @@ SSLInitServerContext(
// also loads only the first certificate, but it allows the intermediate CA certificate chain to
// be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
- if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(ctx, completeServerCertPath)) {
SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
goto fail;
}
> __________________________________________
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration
>
> Chained SSL certificates
>
> Put all the certificates in the ssl_cert file. For example when using a certificate
> signed by TDC the correct order is:
> Dovecot's public certificate
> TDC SSL Server CA
> TDC Internet Root CA
> Globalsign Partners CA
> __________________________________________
>
> [root@proxy:~]$ cat /etc/pki/wildcard.pem
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN PRIVATE KEY-----
> ********************
> -----END PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ********************
> -----END CERTIFICATE-----
>