Improve handling of intermediate certificates in public key for SSL_CTX configuration #151
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
boazsegev
approved these changes
Apr 28, 2024
|
@dwolrdcojp , thank you so much for this PR 🙏🏻🙏🏻🙏🏻 The next version of the core library used with facil.io is currently being developed here: https://github.com/facil-io/cstl The OpenSSL support module for the library is in this subfolder: ./fio-stl/402 openssl.h If you have time to review the new approach, that would be great (I used the Thanks again! |
|
@boazsegev I will test this new approach on our staging build and check if it's properly configured. Based on the openssl docs it seems the SSL_CTX_use_certificate_chain_file() function uses the SSL_CTX_add1_chain_cert() in its implementation so I believe it's going to be good! I will report back with my findings. Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current code in the for loop does not properly add the intermediate certificates from the PEM file to the SSL_CTX. When a certificate provider, such as Let's Encrypt, supplies a fullchain.pem file containing both the server certificate and the intermediate certificate(s), the existing code only includes the server certificate. This leads to an improperly configured SSL handshake.
Commenting out the for loop, as suggested in the related issue on the iodine repo (boazsegev/iodine#94), does not resolve the problem.
An alternative solution is to use SSL_CTX_use_certificate_chain_file(), which can handle the inclusion of intermediate certificates. However, this approach requires modifying the current functions to pass the PEM file name instead of the public_key contents.
To address this issue, I propose the following changes:
Set the server certificate in the SSL_CTX using the initial X509 value from the public_key.
Iterate through the remaining X509 values (if any) and add them to the SSL_CTX using SSL_CTX_add1_chain_cert(). This function is specifically designed to add additional certificates to the certificate chain.
By making these modifications, the SSL_CTX will be properly configured with both the server certificate and any intermediate certificates present in the PEM file.
With this code change we were able to confirm a properly configured SSL certificate from our server environment.
References:
SSL_CTX_use_certificate_chain_file(): https://www.openssl.org/docs/manmaster/man3/SSL_CTX_use_certificate_chain_file.html
SSL_CTX_add1_chain_cert(): https://www.openssl.org/docs/man3.0/man3/SSL_CTX_add1_chain_cert.html
Please let me know if you have any questions or requests with this change!