You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/08/11 22:20:22 UTC

[jira] [Work logged] (TS-4619) intermediate certificate chain loading can miss certificates

     [ https://issues.apache.org/jira/browse/TS-4619?focusedWorklogId=26341&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-26341 ]

ASF GitHub Bot logged work on TS-4619:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Aug/16 22:19
            Start Date: 11/Aug/16 22:19
    Worklog Time Spent: 10m 
      Work Description: GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/853

    TS-4619: intermediate chain loading can miss certificates.

    Made the changes @jpeach suggested in the bug.  Tested with three deep chains for rsa and ec (cert and two signers).  Tested with both signers in the ssl_ca_name files.  Tested with all three certs in the ssl_cert_name file.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver ts-4619

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/853.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #853
    
----
commit 0ea0f210d8e0cda1e58d807a9884f7ec81f25c75
Author: shinrich <sh...@ieee.org>
Date:   2016-08-11T22:16:17Z

    TS-4619: intermediate chain loading can miss certificates.

----


Issue Time Tracking
-------------------

            Worklog Id:     (was: 26341)
            Time Spent: 10m
    Remaining Estimate: 0h

> intermediate certificate chain loading can miss certificates
> ------------------------------------------------------------
>
>                 Key: TS-4619
>                 URL: https://issues.apache.org/jira/browse/TS-4619
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: James Peach
>            Assignee: James Peach
>             Fix For: 7.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When loading intermediate SSL certificates, the original code used {{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the file.
> The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509 *}}, so it only ends up loading the first intermediate rather than all of them.
> This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do here is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and inside {{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}} if it is available.
> Also take a look at the place where the server certificate is loaded. This is also allowed to be a bundle, so we can call {{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication, though at this point we already have a {{BIO}} in hand that we would need to use.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)