[TS-494] SSL over ATS sending partial certificate chain - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.3
Fix Version/s: 2.1.4
Component/s: None
Labels:
None

Description

ATS is sending only the first certificate block from the file configured under the "proxy.config.ssl.server.cert_chain.filename" setting in records.config.

Code in SSLNet.cc

int
SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
{
BIO *in;
int j;
int ret = 0;
X509 *x = NULL;

in = BIO_new(BIO_s_file_internal());
if (in == NULL)

{ SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); goto end; }

if (BIO_read_filename(in, file) <= 0)

{ SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); goto end; }

j = ERR_R_PEM_LIB;
x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata);
if (x == NULL)

{ SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); goto end; }

ret = SSL_CTX_add_extra_chain_cert(ctx, x);
end:
// if (x != NULL) X509_free;
if (in != NULL)
BIO_free(in);
return (ret);
}

should loop across all the cert and the code should be:

while ((x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, ctx->default_passwd_callback_userdata)) != NULL) {
ret = SSL_CTX_add_extra_chain_cert(ctx, x);
if (!ret)

{ X509_free(x); BIO_free(in); return -1; }

}

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Vijaya Bhaskar Mamidi

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 21/Oct/10 20:34

Updated:: 25/Jan/11 08:07

Resolved:: 02/Nov/10 20:16

Agile

View on Board

SSL over ATS sending partial certificate chain