From: Alan T. DeKok Date: Thu, 22 Jul 2021 22:06:55 +0000 (-0400) Subject: just use cert-file, and not chain file X-Git-Tag: release_3_0_24~120 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f47231d8f8122cf55dcfba40be53d63358660289;p=thirdparty%2Ffreeradius-server.git just use cert-file, and not chain file --- diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index a9e825b56e5..5579f0d7e79 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -597,8 +597,7 @@ ATTRIBUTE TLS-Session-Version 1947 string ATTRIBUTE TLS-Session-Cipher-Suite 1948 string ATTRIBUTE TLS-Session-Cert-File 1949 string -ATTRIBUTE TLS-Session-Cert-Chain-File 1950 string -ATTRIBUTE TLS-Session-Cert-Private-Key-File 1951 string +ATTRIBUTE TLS-Session-Cert-Private-Key-File 1950 string # # Range: 1950-2099 diff --git a/src/main/tls.c b/src/main/tls.c index 56500dd0eb4..1981e515d20 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -715,14 +715,25 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU */ vp = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_FILE, 0, TAG_ANY); if (vp) { + VALUE_PAIR *key = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_PRIVATE_KEY_FILE, 0, TAG_ANY); + if (!key) key = vp; + RDEBUG2("(TLS) Loading session certificate file \"%s\"", vp->vp_strvalue); - if (SSL_use_certificate_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) { - tls_error_log(request, "Failed loading TLS session certificate \"%s\"", - vp->vp_strvalue); - error: - talloc_free(state); - return NULL; + if (conf->file_type) { + if (SSL_use_certificate_chain_file(state->ssl, vp->vp_strvalue) != 1) { + tls_error_log(request, "Failed loading TLS session certificate \"%s\"", + vp->vp_strvalue); + error: + talloc_free(state); + return NULL; + } + } else { + if (SSL_use_certificate_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_ASN1) != 1) { + tls_error_log(request, "Failed loading TLS session certificate \"%s\"", + vp->vp_strvalue); + goto error; + } } /* @@ -734,42 +745,14 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU * putting a password into the same file system * as the private key. */ - if (SSL_use_PrivateKey_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) { - tls_error_log(request, "Failed loading TLS session certificate \"%s\"", - vp->vp_strvalue); - goto error; - } - - if (SSL_check_private_key(state->ssl) != 1) { - tls_error_log(request, "Failed validating TLS session certificate \"%s\"", - vp->vp_strvalue); - goto error; - } - - } else if ((vp = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_CHAIN_FILE, 0, TAG_ANY)) != NULL) { - VALUE_PAIR *key = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_PRIVATE_KEY_FILE, 0, TAG_ANY); - - if (!key) { - tls_error_log(request, "Missing TLS-Cert-Private-Key-File for TLS-Session-Cert-Chain-File"); - goto error; - } - - RDEBUG2("(TLS) Loading session certificate chain file \"%s\"", vp->vp_strvalue); - - if (SSL_use_certificate_chain_file(state->ssl, vp->vp_strvalue) != 1) { - tls_error_log(request, "Failed loading TLS session certificate chain \"%s\"", - vp->vp_strvalue); - goto error; - } - if (SSL_use_PrivateKey_file(state->ssl, key->vp_strvalue, SSL_FILETYPE_PEM) != 1) { - tls_error_log(request, "Failed loading TLS session certificate private key \"%s\"", + tls_error_log(request, "Failed loading TLS session certificate \"%s\"", key->vp_strvalue); goto error; } if (SSL_check_private_key(state->ssl) != 1) { - tls_error_log(request, "Failed validating TLS session certificate chain \"%s\"", + tls_error_log(request, "Failed validating TLS session certificate \"%s\"", vp->vp_strvalue); goto error; }