SSL_CTX_use_certificate_chain_file() should be used instead of the

author Willem Toorop <willem@nlnetlabs.nl>

Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)

committer Willem Toorop <willem@nlnetlabs.nl>

Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)
author Willem Toorop <willem@nlnetlabs.nl>
Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)
committer Willem Toorop <willem@nlnetlabs.nl>
Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)
diff --git a/daemon/remote.c b/daemon/remote.c

index a9ec7bd92dc0e40f5496d6348c926e860a2091c3..300b9922c08378ba604d7e90d67b345543412839 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
                 goto setup_error;
         }
         verbose(VERB_ALGO, "setup SSL certificates");
-       if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+       if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
                 log_err("Error for server-cert-file: %s", s_cert);
-               log_crypto_err("Error in SSL_CTX use_certificate_file");
+               log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
                 goto setup_error;
         }
         if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
diff --git a/doc/Changelog b/doc/Changelog

index 37ef28aea037996ce22841b331f11aacbcf5912c..0b130e4a0ea19857f9223dadcab5fd88f5a85daa 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+18 July 2015: Willem
+       - Allow certificate chain files to allow for intermediate certificates.
+         (thanks Daniel Kahn Gillmor)
+
  13 July 2015: Wouter
         - makedist produces sha1 and sha256 files for created binaries too.
  
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c

index d4b147d67095249698c377802ae9bab4dc262a54..571b4d0b08d2da83515b042b5d00b0dae3a9a195 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
          if(cfg->remote_control_use_cert) {
                 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
                         ssl_err("could not set SSL_OP_NO_SSLv3");
-               if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
+               if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
                     !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
                     || !SSL_CTX_check_private_key(ctx))
                         ssl_err("Error setting up SSL_CTX client key and cert");
diff --git a/testcode/petal.c b/testcode/petal.c

index 964735b39ddc8b4cc867495ef3bd73a2d39505f3..e680005a73dc1569445a745649d6efc7eb1cb2ee 100644 (file)
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -236,7 +236,7 @@ setup_ctx(char* key, char* cert)
         if(!ctx) print_exit("out of memory");
         (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
         (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
-       if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
+       if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
                 print_exit("cannot read cert");
         if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
                 print_exit("cannot read key");
diff --git a/util/net_help.c b/util/net_help.c

index 8b39af6b3b0dcaaba59b287885c1bd895ab2c26d..5ad765844a2b0152e49821d77dca008dd6836f1e 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
                 SSL_CTX_free(ctx);
                 return NULL;
         }
-       if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+       if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
                 log_err("error for cert file: %s", pem);
-               log_crypto_err("error in SSL_CTX use_certificate_file");
+               log_crypto_err("error in SSL_CTX use_certificate_chain_file");
                 SSL_CTX_free(ctx);
                 return NULL;
         }
@@ -684,7 +684,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
                 return NULL;
         }
         if(key && key[0]) {
-               if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
+               if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
                         log_err("error in client certificate %s", pem);
                         log_crypto_err("error in certificate file");
                         SSL_CTX_free(ctx);
author	Willem Toorop <willem@nlnetlabs.nl>
	Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)
committer	Willem Toorop <willem@nlnetlabs.nl>
	Sat, 18 Jul 2015 12:34:37 +0000 (12:34 +0000)
daemon/remote.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
smallapp/unbound-control.c		patch \| blob \| blame \| history
testcode/petal.c		patch \| blob \| blame \| history
util/net_help.c		patch \| blob \| blame \| history