[TS-3027] Hashed SSL Intermediate Server Certs not recognized - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.1.0
Component/s: SSL
Labels:
None

Description

Tested on:
CentOS 6.5 x86_64
trafficserver-5.0.1

Pertinent Config Values:
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
#CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
(with and without CA.cert.filename configured)

CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.client.verify.server INT 0

c_rehash (from OpenSSL) called from command line to create hash symlinks

Currently, SSL_CTX_load_verify_locations is only called in two cases:
if (params->clientCertLevel != 0) {
and
if (params->clientVerify) {

Attached patch will create a precedence such that:
if ssl_ca_name= is configured in ssl_multicert.config
use that to build the cert chain
else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path)
use that file to build the chain
else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL)
use the hashed symlinks in that directory to build the chain
else
error out because we don't have the right configuration to build the chain

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HashedSSL.patch
20/Aug/14 16:36
1 kB
Steven Feltner

Activity

People

Assignee:: James Peach

Reporter:: Steven Feltner

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Aug/14 16:33

Updated:: 18/Dec/14 05:09

Resolved:: 22/Aug/14 20:05