TLS: Load chain certificates from client_cert file

Message ID	1516498604-20963-1-git-send-email-iboukris@gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Isaac Boukris <iboukris@gmail.com> To: hostap@lists.infradead.org Subject: [PATCH] TLS: Load chain certificates from client_cert file Date: Sun, 21 Jan 2018 01:36:44 +0000 Message-Id: <1516498604-20963-1-git-send-email-iboukris@gmail.com> summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c0c:0:0:0:244 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (iboukris[at]gmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Cc: Isaac Boukris <iboukris@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	TLS: Load chain certificates from client_cert file \| expand TLS: Load chain certificates from client_cert file

Message ID

1516498604-20963-1-git-send-email-iboukris@gmail.com

State

Accepted

Headers

From: Isaac Boukris <iboukris@gmail.com>
To: hostap@lists.infradead.org
Subject: [PATCH] TLS: Load chain certificates from client_cert file
Date: Sun, 21 Jan 2018 01:36:44 +0000
Message-Id: <1516498604-20963-1-git-send-email-iboukris@gmail.com>
Precedence: list
Cc: Isaac Boukris <iboukris@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

TLS: Load chain certificates from client_cert file | expand

Comments

Isaac Boukris March 26, 2018, 1:51 a.m. UTC | #1

Hi,

On Sun, Jan 21, 2018 at 4:36 AM, Isaac Boukris <iboukris@gmail.com> wrote:
> This helps the server to build the chain to trusted CA.
>
> Signed-off-by: Isaac Boukris <iboukris@gmail.com>
> ---
>  src/crypto/tls_openssl.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index ce73848..3d789bb 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn,
>                 return 0;
>         }
>
> -       if (SSL_use_certificate_file(conn->ssl, client_cert,
> -                                    SSL_FILETYPE_PEM) == 1) {
> +       if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
>                 ERR_clear_error();
> -               wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
> +               wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
>                            " --> OK");
>                 return 0;
>         }
> --


I'd like to reference the case where I found this useful against
FreeRadius server, see:
http://lists.freeradius.org/pipermail/freeradius-users/2018-January/090245.html

I left it unconditional as I assumed that without this change it
wouldn't make much sense having the chain included.

Review appreciated.

Thank you,
Isaac B.

Jouni Malinen Jan. 2, 2019, 11:56 a.m. UTC | #2

On Sun, Jan 21, 2018 at 01:36:44AM +0000, Isaac Boukris wrote:
> This helps the server to build the chain to trusted CA.

Thanks, applied.

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ce73848..3d789bb 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2653,10 +2653,9 @@  static int tls_connection_client_cert(struct tls_connection *conn,
 		return 0;
 	}
 
-	if (SSL_use_certificate_file(conn->ssl, client_cert,
-				     SSL_FILETYPE_PEM) == 1) {
+	if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
 		ERR_clear_error();
-		wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
+		wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
 			   " --> OK");
 		return 0;
 	}

TLS: Load chain certificates from client_cert file

Commit Message

Comments

Patch