Re: Chained + unchained SSL cert patch from Henrik Nordstrom on 2005-08-03 (squid-dev)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 3 Aug 2005 16:42:27 +0200 (CEST)

On Mon, 25 Jul 2005, Travis Lansdell wrote:

> The problem I had with the Squid-provided patch is that I couldn't use
> both chained and regular SSL certificates simultaneously

I have no problems here to mix chained and unchanied certificates freely
with the SSL update to 2.5. I most frequenly use a number of unchained
certificates, but occationally there is a couple of chained certificates
in the mix and no problems have been observed for a very long time.

> - if (!SSL_CTX_use_certificate_file(sslContext, certfile,
> SSL_FILETYPE_PEM)) {
> - ssl_error = ERR_get_error();
> - fatalf("Failed to acquire SSL certificate: %s\n",
> - ERR_error_string(ssl_error, NULL));
> + if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
> + if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
> + ssl_error = ERR_get_error();
> + fatalf("Failed to acquire SSL certificate: %s\n",
> + ERR_error_string(ssl_error, NULL));
> + }

The inner SSL_CTX_use_certificate_file call here is redundant as
SSL_CTX_use_certificate_chain_file also loads unchained certificates. If
SSL_CTX_use_certificate_chain_file fails then SSL_CTX_use_certificate_file
will fail as well. At least according to documentation and my experience
of these functions and the OpenSSL error stack.

Some time ago an unrelated OpenSSL problem was discovered relating to CA
certificates which would cause loading of the next certificate to always
fail in some situations involving the clientca option. Maybe you were
bitten by this?

The SSL code in 2.5 is known to be quite broken in several aspects, not
just the lack of support for chained certificates. There is also issues
with handling of largeish SSL segments in POSTs etc and a number of other
problems addressed by the SSL update, several of which requiring quite
significant reworkings of how the SSL I/O operations is scheduled. For
this reason I have selected to not touch the code for the duration of 2.5
and instead refer to the SSL update for people needing more advanced SSL
functionality.

Regards
Henrik
Received on Wed Aug 03 2005 - 08:42:30 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 31 2005 - 12:00:06 MDT