From patchwork Tue Nov 15 01:03:19 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maciej Szmigiero X-Patchwork-Id: 125651 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "maxx.shmoo.com", Issuer "CA Cert Signing Authority" (not verified)) by ozlabs.org (Postfix) with ESMTPS id E8B5DB71F1 for ; Tue, 15 Nov 2011 12:03:39 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 54EA99C192; Mon, 14 Nov 2011 20:03:36 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APz3xZE83zyK; Mon, 14 Nov 2011 20:03:36 -0500 (EST) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 4FB649C18D; Mon, 14 Nov 2011 20:03:31 -0500 (EST) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id E66DB9C18D for ; Mon, 14 Nov 2011 20:03:29 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMjOcqzoja6j for ; Mon, 14 Nov 2011 20:03:24 -0500 (EST) Received: from moh1-ve3.go2.pl (moh1-ve3.go2.pl [193.17.41.134]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id CA3979C18C for ; Mon, 14 Nov 2011 20:03:24 -0500 (EST) Received: from moh1-ve3.go2.pl (unknown [10.0.0.134]) by moh1-ve3.go2.pl (Postfix) with ESMTP id 44BD86679B2 for ; Tue, 15 Nov 2011 02:03:22 +0100 (CET) Received: from unknown (unknown [10.0.0.42]) by moh1-ve3.go2.pl (Postfix) with SMTP for ; Tue, 15 Nov 2011 02:03:22 +0100 (CET) Received: from 89-79-111-58.dynamic.chello.pl [89.79.111.58] by poczta.o2.pl with ESMTP id UhKXCC; Tue, 15 Nov 2011 02:03:22 +0100 Message-ID: <4EC1BA57.3080900@o2.pl> Date: Tue, 15 Nov 2011 02:03:19 +0100 From: Maciej Szmigiero User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20111101 Thunderbird/7.0.1 MIME-Version: 1.0 To: hostap@lists.shmoo.com Subject: [PATCH]Send whole certificate chain from file X-O2-Trust: 2, 66 X-O2-SPF: neutral X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com Currently OpenSSL implementation of TLS in hostapd loads only top certificate in server certificate file. This requires any intermediate certs to be installed on client machine in order it to be able to verify server cert properly and violates TLS specs (section 7.4.2) when used with such intermediate certs. In contrast, the GnuTLS implementation correctly loads the whole chain if it's present in server certificate file. This patch tries to load whole chain first in OpenSSL implementation, then reverts to old behavior if it fails. Signed-off-by: Maciej Szmigiero --- src/crypto/tls_openssl.c.old 2010-09-07 17:43:39.000000000 +0200 +++ src/crypto/tls_openssl.c 2011-04-12 14:45:24.968047291 +0200 @@ -1586,6 +1586,7 @@ if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert, SSL_FILETYPE_ASN1) != 1 && + SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 && SSL_CTX_use_certificate_file(ssl_ctx, client_cert, SSL_FILETYPE_PEM) != 1) { tls_show_errors(MSG_INFO, __func__,