From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 20 Oct 2015 13:46:34 +0000 (-0400)
Subject: Enable auto_chain.  Fixes #1330
X-Git-Tag: release_3_0_11~238
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64e7a15e34b147b90e0a60ff9b421717e80dd96a;p=thirdparty%2Ffreeradius-server.git

Enable auto_chain.  Fixes #1330
---

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 8759784d1e1..c2b6c3ab070 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -200,6 +200,15 @@ eap {
 		#
 		ca_file = ${cadir}/ca.pem
 
+	 	#  OpenSSL will automatically create certificate chains,
+	 	#  unless we tell it to not do that.  The problem is that
+	 	#  it sometimes gets the chains right from a certificate
+	 	#  signature view, but wrong from the clients view.
+		#
+		#  When setting "auto_chain = no", the server certificate
+		#  file MUST include the full certificate chain.
+	#	auto_chain = yes
+
 		#
 		#  If OpenSSL supports TLS-PSK, then we can use
 		#  a PSK identity and (hex) password.  When the
@@ -264,6 +273,7 @@ eap {
 		#
 	#	include_length = yes
 
+
 		#  Check the Certificate Revocation List
 		#
 		#  1) Copy CA certificates and CRLs to same directory.
diff --git a/src/include/tls-h b/src/include/tls-h
index 0169b2f9163..18cf9825d5f 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -348,6 +348,7 @@ struct fr_tls_server_conf_t {
 	uint32_t	verify_depth;
 	bool		file_type;
 	bool		include_length;
+	bool		auto_chain;
 	bool		disable_tlsv1;
 	bool		disable_tlsv1_1;
 	bool		disable_tlsv1_2;
diff --git a/src/main/tls.c b/src/main/tls.c
index 2d0ff04d38c..8f540af3865 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1035,6 +1035,7 @@ static CONF_PARSER tls_server_config[] = {
 	{ "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, random_file), NULL },
 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
+	{ "auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, auto_chain), "yes" },
 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
 #ifdef X509_V_FLAG_CRL_CHECK_ALL
 	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
@@ -2632,6 +2633,16 @@ post_ca:
 #endif
 #endif
 
+	/*
+	 *	OpenSSL will automatically create certificate chains,
+	 *	unless we tell it to not do that.  The problem is that
+	 *	it sometimes gets the chains right from a certificate
+	 *	signature view, but wrong from the clients view.
+	 */
+	if (!conf->auto_chain) {
+		SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
+	}
+
 	/* Set Info callback */
 	SSL_CTX_set_info_callback(ctx, cbtls_info);