Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3027

Hashed SSL Intermediate Server Certs not recognized

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 5.1.0
    • SSL
    • None

    Description

      Tested on:
      CentOS 6.5 x86_64
      trafficserver-5.0.1

      Pertinent Config Values:
      CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
      #CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
      CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
      (with and without CA.cert.filename configured)

      CONFIG proxy.config.ssl.client.certification_level INT 0
      CONFIG proxy.config.ssl.client.verify.server INT 0

      c_rehash (from OpenSSL) called from command line to create hash symlinks

      Currently, SSL_CTX_load_verify_locations is only called in two cases:
      if (params->clientCertLevel != 0) {
      and
      if (params->clientVerify) {

      Attached patch will create a precedence such that:
      if ssl_ca_name= is configured in ssl_multicert.config
      use that to build the cert chain
      else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path)
      use that file to build the chain
      else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL)
      use the hashed symlinks in that directory to build the chain
      else
      error out because we don't have the right configuration to build the chain

      Attachments

        1. HashedSSL.patch
          1 kB
          Steven Feltner

        Activity

          People

            jamespeach James Peach
            reveller Steven Feltner
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment