just use cert-file, and not chain file

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index a9e825b56e57f541e222c6ffc333a318593ee7cc..5579f0d7e79d6cb108e73205676d3b45517c8904 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -597,8 +597,7 @@ ATTRIBUTE   TLS-Session-Version                     1947    string
 ATTRIBUTE      TLS-Session-Cipher-Suite                1948    string
 
 ATTRIBUTE      TLS-Session-Cert-File                   1949    string
-ATTRIBUTE      TLS-Session-Cert-Chain-File             1950    string
-ATTRIBUTE      TLS-Session-Cert-Private-Key-File       1951    string
+ATTRIBUTE      TLS-Session-Cert-Private-Key-File       1950    string
 
 #
 #      Range:  1950-2099

diff --git a/src/main/tls.c b/src/main/tls.c
index 56500dd0eb434f8f75de6c69ff7b548c3a39eec5..1981e515d20db20c9de4f72b9365fee2b5897afc 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -715,14 +715,25 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU
         */
        vp = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_FILE, 0, TAG_ANY);
        if (vp) {
+               VALUE_PAIR *key = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_PRIVATE_KEY_FILE, 0, TAG_ANY);
+               if (!key) key = vp;
+
                RDEBUG2("(TLS) Loading session certificate file \"%s\"", vp->vp_strvalue);
 
-               if (SSL_use_certificate_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
-                       tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
-                                     vp->vp_strvalue);
-               error:
-                       talloc_free(state);
-                       return NULL;
+               if (conf->file_type) {
+                       if (SSL_use_certificate_chain_file(state->ssl, vp->vp_strvalue) != 1) {
+                               tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
+                                             vp->vp_strvalue);
+                       error:
+                               talloc_free(state);
+                               return NULL;
+                       }
+               } else {
+                       if (SSL_use_certificate_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_ASN1) != 1) {
+                               tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
+                                             vp->vp_strvalue);
+                               goto error;
+                       }
                }
 
                /*
@@ -734,42 +745,14 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU
                 *      putting a password into the same file system
                 *      as the private key.
                 */
-               if (SSL_use_PrivateKey_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
-                       tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
-                                     vp->vp_strvalue);
-                       goto error;
-               }
-
-               if (SSL_check_private_key(state->ssl) != 1) {
-                       tls_error_log(request, "Failed validating TLS session certificate \"%s\"",
-                                     vp->vp_strvalue);
-                       goto error;
-               }
-
-       } else if ((vp = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_CHAIN_FILE, 0, TAG_ANY)) != NULL) {
-               VALUE_PAIR *key = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_PRIVATE_KEY_FILE, 0, TAG_ANY);
-
-               if (!key) {
-                       tls_error_log(request, "Missing TLS-Cert-Private-Key-File for TLS-Session-Cert-Chain-File");
-                       goto error;
-               }
-
-               RDEBUG2("(TLS) Loading session certificate chain file \"%s\"", vp->vp_strvalue);
-
-               if (SSL_use_certificate_chain_file(state->ssl, vp->vp_strvalue) != 1) {
-                       tls_error_log(request, "Failed loading TLS session certificate chain \"%s\"",
-                                     vp->vp_strvalue);
-                       goto error;
-               }
-
                if (SSL_use_PrivateKey_file(state->ssl, key->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
-                       tls_error_log(request, "Failed loading TLS session certificate private key \"%s\"",
+                       tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
                                      key->vp_strvalue);
                        goto error;
                }
 
                if (SSL_check_private_key(state->ssl) != 1) {
-                       tls_error_log(request, "Failed validating TLS session certificate chain \"%s\"",
+                       tls_error_log(request, "Failed validating TLS session certificate \"%s\"",
                                      vp->vp_strvalue);
                        goto error;
                }