Message ID | 1516498604-20963-1-git-send-email-iboukris@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | TLS: Load chain certificates from client_cert file | expand |
Hi, On Sun, Jan 21, 2018 at 4:36 AM, Isaac Boukris <iboukris@gmail.com> wrote: > This helps the server to build the chain to trusted CA. > > Signed-off-by: Isaac Boukris <iboukris@gmail.com> > --- > src/crypto/tls_openssl.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c > index ce73848..3d789bb 100644 > --- a/src/crypto/tls_openssl.c > +++ b/src/crypto/tls_openssl.c > @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn, > return 0; > } > > - if (SSL_use_certificate_file(conn->ssl, client_cert, > - SSL_FILETYPE_PEM) == 1) { > + if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { > ERR_clear_error(); > - wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)" > + wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file" > " --> OK"); > return 0; > } > -- I'd like to reference the case where I found this useful against FreeRadius server, see: http://lists.freeradius.org/pipermail/freeradius-users/2018-January/090245.html I left it unconditional as I assumed that without this change it wouldn't make much sense having the chain included. Review appreciated. Thank you, Isaac B.
On Sun, Jan 21, 2018 at 01:36:44AM +0000, Isaac Boukris wrote:
> This helps the server to build the chain to trusted CA.
Thanks, applied.
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ce73848..3d789bb 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn, return 0; } - if (SSL_use_certificate_file(conn->ssl, client_cert, - SSL_FILETYPE_PEM) == 1) { + if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { ERR_clear_error(); - wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)" + wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file" " --> OK"); return 0; }
This helps the server to build the chain to trusted CA. Signed-off-by: Isaac Boukris <iboukris@gmail.com> --- src/crypto/tls_openssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)