[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: Chained + unchained SSL cert patch
From:       Henrik Nordstrom <hno () squid-cache ! org>
Date:       2005-08-03 14:42:27
Message-ID: Pine.LNX.4.61.0508031610310.6124 () localhost ! localdomain
[Download RAW message or body]

On Mon, 25 Jul 2005, Travis Lansdell wrote:

> The problem I had with the Squid-provided patch is that I couldn't use
> both chained and regular SSL certificates simultaneously

I have no problems here to mix chained and unchanied certificates freely 
with the SSL update to 2.5. I most frequenly use a number of unchained 
certificates, but occationally there is a couple of chained certificates 
in the mix and no problems have been observed for a very long time.

> -    if (!SSL_CTX_use_certificate_file(sslContext, certfile,
> SSL_FILETYPE_PEM)) {
> -	ssl_error = ERR_get_error();
> -	fatalf("Failed to acquire SSL certificate: %s\n",
> -	    ERR_error_string(ssl_error, NULL));
> +    if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
> +	if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
> +	    ssl_error = ERR_get_error();
> +	    fatalf("Failed to acquire SSL certificate: %s\n",
> +		ERR_error_string(ssl_error, NULL));
> +	}

The inner SSL_CTX_use_certificate_file call here is redundant as 
SSL_CTX_use_certificate_chain_file also loads unchained certificates. If 
SSL_CTX_use_certificate_chain_file fails then SSL_CTX_use_certificate_file 
will fail as well. At least according to documentation and my experience 
of these functions and the OpenSSL error stack.

Some time ago an unrelated OpenSSL problem was discovered relating to CA 
certificates which would cause loading of the next certificate to always 
fail in some situations involving the clientca option. Maybe you were 
bitten by this?

The SSL code in 2.5 is known to be quite broken in several aspects, not 
just the lack of support for chained certificates. There is also issues 
with handling of largeish SSL segments in POSTs etc and a number of other 
problems addressed by the SSL update, several of which requiring quite 
significant reworkings of how the SSL I/O operations is scheduled. For 
this reason I have selected to not touch the code for the duration of 2.5 
and instead refer to the SSL update for people needing more advanced SSL 
functionality.

Regards
Henrik
[prev in list] [next in list] [prev in thread] [next in thread]