From fa205646998562d26cdc44026ac9ac8343ea9da0 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Sat, 18 Jul 2015 12:34:37 +0000 Subject: [PATCH] SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage. Thanks Daniel Kahn Gillmore git-svn-id: file:///svn/unbound/trunk@3451 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/remote.c | 4 ++-- doc/Changelog | 4 ++++ smallapp/unbound-control.c | 2 +- testcode/petal.c | 2 +- util/net_help.c | 6 +++--- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index a9ec7bd92..300b9922c 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg) goto setup_error; } verbose(VERB_ALGO, "setup SSL certificates"); - if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) { + if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) { log_err("Error for server-cert-file: %s", s_cert); - log_crypto_err("Error in SSL_CTX use_certificate_file"); + log_crypto_err("Error in SSL_CTX use_certificate_chain_file"); goto setup_error; } if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) { diff --git a/doc/Changelog b/doc/Changelog index 37ef28aea..0b130e4a0 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +18 July 2015: Willem + - Allow certificate chain files to allow for intermediate certificates. + (thanks Daniel Kahn Gillmor) + 13 July 2015: Wouter - makedist produces sha1 and sha256 files for created binaries too. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index d4b147d67..571b4d0b0 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg) if(cfg->remote_control_use_cert) { if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) ssl_err("could not set SSL_OP_NO_SSLv3"); - if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || + if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) ssl_err("Error setting up SSL_CTX client key and cert"); diff --git a/testcode/petal.c b/testcode/petal.c index 964735b39..e680005a7 100644 --- a/testcode/petal.c +++ b/testcode/petal.c @@ -236,7 +236,7 @@ setup_ctx(char* key, char* cert) if(!ctx) print_exit("out of memory"); (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); - if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) + if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) print_exit("cannot read cert"); if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) print_exit("cannot read key"); diff --git a/util/net_help.c b/util/net_help.c index 8b39af6b3..5ad765844 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) SSL_CTX_free(ctx); return NULL; } - if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error for cert file: %s", pem); - log_crypto_err("error in SSL_CTX use_certificate_file"); + log_crypto_err("error in SSL_CTX use_certificate_chain_file"); SSL_CTX_free(ctx); return NULL; } @@ -684,7 +684,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem) return NULL; } if(key && key[0]) { - if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error in client certificate %s", pem); log_crypto_err("error in certificate file"); SSL_CTX_free(ctx); -- 2.47.2