TLS: Load chain certificates from client_cert file

Message ID 1516498604-20963-1-git-send-email-iboukris@gmail.com
State New
Headers show
Series
  • TLS: Load chain certificates from client_cert file
Related show

Commit Message

Isaac Boukris Jan. 21, 2018, 1:36 a.m.
This helps the server to build the chain to trusted CA.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
---
 src/crypto/tls_openssl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comments

Isaac Boukris March 26, 2018, 1:51 a.m. | #1
Hi,

On Sun, Jan 21, 2018 at 4:36 AM, Isaac Boukris <iboukris@gmail.com> wrote:
> This helps the server to build the chain to trusted CA.
>
> Signed-off-by: Isaac Boukris <iboukris@gmail.com>
> ---
>  src/crypto/tls_openssl.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index ce73848..3d789bb 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn,
>                 return 0;
>         }
>
> -       if (SSL_use_certificate_file(conn->ssl, client_cert,
> -                                    SSL_FILETYPE_PEM) == 1) {
> +       if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
>                 ERR_clear_error();
> -               wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
> +               wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
>                            " --> OK");
>                 return 0;
>         }
> --


I'd like to reference the case where I found this useful against
FreeRadius server, see:
http://lists.freeradius.org/pipermail/freeradius-users/2018-January/090245.html

I left it unconditional as I assumed that without this change it
wouldn't make much sense having the chain included.

Review appreciated.

Thank you,
Isaac B.

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ce73848..3d789bb 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2653,10 +2653,9 @@  static int tls_connection_client_cert(struct tls_connection *conn,
 		return 0;
 	}
 
-	if (SSL_use_certificate_file(conn->ssl, client_cert,
-				     SSL_FILETYPE_PEM) == 1) {
+	if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
 		ERR_clear_error();
-		wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
+		wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
 			   " --> OK");
 		return 0;
 	}