From patchwork Tue Nov 15 01:03:19 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Send whole certificate chain from file
Date: Mon, 14 Nov 2011 15:03:19 -0000
From: Maciej Szmigiero <mhej@o2.pl>
X-Patchwork-Id: 125651
Message-Id: <4EC1BA57.3080900@o2.pl>
To: hostap@lists.shmoo.com

Currently OpenSSL implementation of TLS in hostapd loads only top
certificate in server certificate file.

This requires any intermediate certs to be installed on client
machine in order it to be able to verify server cert properly and
violates TLS specs (section 7.4.2) when used with such intermediate certs.

In contrast, the GnuTLS implementation correctly loads the whole
chain if it's present in server certificate file.

This patch tries to load whole chain first in OpenSSL implementation,
then reverts to old behavior if it fails.

Signed-off-by: Maciej Szmigiero <mhej@o2.pl>


--- src/crypto/tls_openssl.c.old        2010-09-07 17:43:39.000000000 +0200
+++ src/crypto/tls_openssl.c    2011-04-12 14:45:24.968047291 +0200
@@ -1586,6 +1586,7 @@

     if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
                          SSL_FILETYPE_ASN1) != 1 &&
+        SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
         SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
                          SSL_FILETYPE_PEM) != 1) {
        tls_show_errors(MSG_INFO, __func__,