0002848: Unreal should support chained SSL certificates - UnrealIRCd Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0002848	unreal	ircd	public	2006-03-11 01:50	2006-04-09 11:52

Reporter	justdave	Assigned To	syzop
Priority	normal	Severity	tweak	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	i386	OS	Linux	OS Version	2.6
Product Version	3.2.4
Fixed in Version	3.2.5

Summary	0002848: Unreal should support chained SSL certificates
Description	Situation: globally accepted certificate authority has certified another certificate authority for signing SSL certificates. The certificate authority that everyone has in their root cert databases has signed the second authority's root cert with theirs, with signing rights granted. The second authority then signs our certificate. This is called a chained SSL certificate. Every SSL client I've ever seen can deal with them, however, they usually take a little additional setup on the server end to make it work, and this is where I'm getting stuck with Unreal3.2.4. We operate several large websites with SSL certificates signed by this same vendor. In Apache, there is a separate configuration option for a certificate chain file. In some other applications (most notably mail servers) you can append the chain certificate onto the end of your own certificate, and it will Just Work. I can't find any option in Unreal to configure a chain file, and the trick with appending it onto the end of the certificate doesn't seem to work either. Basically, I have four certificates in my cert file. Ours, the vendor who signed ours, the vendor's root cert, and the CA who signed our vendor's cert. All four certificates have to be sent to the client for it to work. Unreal is only sending the first one. I use openssl s_client -connect irc.mozilla.org:6697 \ -CAfile /usr/share/ssl/certs/ca-bundle.crt to test it, and can verify that when hitting one of our websites, all four certificates are in the output, but when hitting Unreal, only the first one is (which results in an "unable to verify first certificate" error in the client unless you tell it to accept invalid certificates).
Additional Information	Examining the OpenSSL docs and the Unreal source, I discovered that the way Unreal is initializing the certificate does indeed only import the first certificate in the certificate file. Making a one-line change to the SSL initialization code makes it properly handle the "append the chained cert onto the end of your server cert" method without breaking standard certificates. I have a patch. SSL_CTX_use_certificate_file() is what's currently being used. This is documented to only load the first certificate in the file. SSL_CTX_use_certificate_chain_file() does exactly the same thing, but loads every certificate in the file. However, it only allows PEM format certficiates, it won't do ASN1. In Unreal's case, this is irrelevant, because SSL_CTX_use_certificate_file() was hard-coded to request PEM format anyway.
Tags	No tags attached.
Attached Files	unreal-ssl-chain.diff (571 bytes)

3rd party modules

justdave 2006-03-11 01:52 reporter ~0011345	err, apologies for the severity - this should be "feature". But now that it's there, I don't see a way to go back and change it.

syzop 2006-03-11 06:23 administrator ~0011348	I see. I'll see if I can take a look at this later. Thanks for the patch ;)

syzop 2006-04-09 11:52 administrator ~0011492	This is now in CVS :) Thanks!

Date Modified	Username	Field	Change
2006-03-11 01:50	justdave	New Issue
2006-03-11 01:50	justdave	File Added: unreal-ssl-chain.diff
2006-03-11 01:52	justdave	Note Added: 0011345
2006-03-11 06:23	syzop	Note Added: 0011348
2006-03-11 06:23	syzop	Status	new => acknowledged
2006-03-11 06:23	syzop	Severity	major => tweak
2006-04-02 16:50	syzop	Relationship added	child of 0002748
2006-04-09 11:52	syzop	Status	acknowledged => resolved
2006-04-09 11:52	syzop	Fixed in Version	=> 3.2.5
2006-04-09 11:52	syzop	Resolution	open => fixed
2006-04-09 11:52	syzop	Assigned To	=> syzop
2006-04-09 11:52	syzop	Note Added: 0011492