You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "vijaya bhaskar mamidi (JIRA)" <ji...@apache.org> on 2010/10/21 18:36:16 UTC
[jira] Created: (TS-494) SSL over ATS sending partial certificate
chain
SSL over ATS sending partial certificate chain
-----------------------------------------------
Key: TS-494
URL: https://issues.apache.org/jira/browse/TS-494
Project: Traffic Server
Issue Type: Bug
Reporter: vijaya bhaskar mamidi
ATS is sending only the first certificate block from the file configured under the "proxy.config.ssl.server.cert_chain.filename" setting in records.config.
Code in SSLNet.cc
int
SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
{
BIO *in;
int j;
int ret = 0;
X509 *x = NULL;
in = BIO_new(BIO_s_file_internal());
if (in == NULL) {
SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
goto end;
}
if (BIO_read_filename(in, file) <= 0) {
SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
goto end;
}
j = ERR_R_PEM_LIB;
x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
if (x == NULL) {
SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
goto end;
}
ret = SSL_CTX_add_extra_chain_cert(ctx, x);
end:
// if (x != NULL) X509_free(x);
if (in != NULL)
BIO_free(in);
return (ret);
}
should loop across all the cert and the code should be:
while ((x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) {
ret = SSL_CTX_add_extra_chain_cert(ctx, x);
if (!ret) {
X509_free(x);
BIO_free(in);
return -1;
}
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-494) SSL over ATS sending partial certificate
chain
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-494:
-----------------------------
Affects Version/s: 2.1.3
Fix Version/s: 2.1.4
> SSL over ATS sending partial certificate chain
> -----------------------------------------------
>
> Key: TS-494
> URL: https://issues.apache.org/jira/browse/TS-494
> Project: Traffic Server
> Issue Type: Bug
> Affects Versions: 2.1.3
> Reporter: vijaya bhaskar mamidi
> Fix For: 2.1.4
>
>
> ATS is sending only the first certificate block from the file configured under the "proxy.config.ssl.server.cert_chain.filename" setting in records.config.
> Code in SSLNet.cc
> int
> SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
> {
> BIO *in;
> int j;
> int ret = 0;
> X509 *x = NULL;
> in = BIO_new(BIO_s_file_internal());
> if (in == NULL) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
> goto end;
> }
> if (BIO_read_filename(in, file) <= 0) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
> goto end;
> }
> j = ERR_R_PEM_LIB;
> x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
> if (x == NULL) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
> goto end;
> }
> ret = SSL_CTX_add_extra_chain_cert(ctx, x);
> end:
> // if (x != NULL) X509_free(x);
> if (in != NULL)
> BIO_free(in);
> return (ret);
> }
> should loop across all the cert and the code should be:
> while ((x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) {
> ret = SSL_CTX_add_extra_chain_cert(ctx, x);
> if (!ret) {
> X509_free(x);
> BIO_free(in);
> return -1;
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (TS-494) SSL over ATS sending partial certificate
chain
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom resolved TS-494.
------------------------------
Resolution: Fixed
> SSL over ATS sending partial certificate chain
> -----------------------------------------------
>
> Key: TS-494
> URL: https://issues.apache.org/jira/browse/TS-494
> Project: Traffic Server
> Issue Type: Bug
> Affects Versions: 2.1.3
> Reporter: vijaya bhaskar mamidi
> Fix For: 2.1.4
>
>
> ATS is sending only the first certificate block from the file configured under the "proxy.config.ssl.server.cert_chain.filename" setting in records.config.
> Code in SSLNet.cc
> int
> SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
> {
> BIO *in;
> int j;
> int ret = 0;
> X509 *x = NULL;
> in = BIO_new(BIO_s_file_internal());
> if (in == NULL) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
> goto end;
> }
> if (BIO_read_filename(in, file) <= 0) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
> goto end;
> }
> j = ERR_R_PEM_LIB;
> x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
> if (x == NULL) {
> SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
> goto end;
> }
> ret = SSL_CTX_add_extra_chain_cert(ctx, x);
> end:
> // if (x != NULL) X509_free(x);
> if (in != NULL)
> BIO_free(in);
> return (ret);
> }
> should loop across all the cert and the code should be:
> while ((x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) {
> ret = SSL_CTX_add_extra_chain_cert(ctx, x);
> if (!ret) {
> X509_free(x);
> BIO_free(in);
> return -1;
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.