View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002848||unreal||ircd||public||2006-03-11 01:50||2006-04-09 11:52|
|Target Version||Fixed in Version||3.2.5|
|Summary||0002848: Unreal should support chained SSL certificates|
globally accepted certificate authority has certified another certificate authority for signing SSL certificates. The certificate authority that everyone has in their root cert databases has signed the second authority's root cert with theirs, with signing rights granted. The second authority then signs our certificate.
This is called a chained SSL certificate. Every SSL client I've ever seen can deal with them, however, they usually take a little additional setup on the server end to make it work, and this is where I'm getting stuck with Unreal3.2.4.
We operate several large websites with SSL certificates signed by this same vendor. In Apache, there is a separate configuration option for a certificate chain file. In some other applications (most notably mail servers) you can append the chain certificate onto the end of your own certificate, and it will Just Work.
I can't find any option in Unreal to configure a chain file, and the trick with appending it onto the end of the certificate doesn't seem to work either.
Basically, I have four certificates in my cert file. Ours, the vendor who signed ours, the vendor's root cert, and the CA who signed our vendor's cert. All four certificates have to be sent to the client for it to work. Unreal is only sending the first one.
openssl s_client -connect irc.mozilla.org:6697 \
to test it, and can verify that when hitting one of our websites, all four certificates are in the output, but when hitting Unreal, only the first one is (which results in an "unable to verify first certificate" error in the client unless you tell it to accept invalid certificates).
|Additional Information||Examining the OpenSSL docs and the Unreal source, I discovered that the way Unreal is initializing the certificate does indeed only import the first certificate in the certificate file. Making a one-line change to the SSL initialization code makes it properly handle the "append the chained cert onto the end of your server cert" method without breaking standard certificates. I have a patch.|
SSL_CTX_use_certificate_file() is what's currently being used. This is documented to only load the first certificate in the file.
SSL_CTX_use_certificate_chain_file() does exactly the same thing, but loads every certificate in the file. However, it only allows PEM format certficiates, it won't do ASN1. In Unreal's case, this is irrelevant, because SSL_CTX_use_certificate_file() was hard-coded to request PEM format anyway.
|Tags||No tags attached.|
|3rd party modules|
unreal-ssl-chain.diff (571 bytes)
||err, apologies for the severity - this should be "feature". But now that it's there, I don't see a way to go back and change it.|
I see. I'll see if I can take a look at this later.
Thanks for the patch ;)
This is now in CVS :)
|2006-03-11 01:50||justdave||New Issue|
|2006-03-11 01:50||justdave||File Added: unreal-ssl-chain.diff|
|2006-03-11 01:52||justdave||Note Added: 0011345|
|2006-03-11 06:23||syzop||Note Added: 0011348|
|2006-03-11 06:23||syzop||Status||new => acknowledged|
|2006-03-11 06:23||syzop||Severity||major => tweak|
|2006-04-02 16:50||syzop||Relationship added||child of 0002748|
|2006-04-09 11:52||syzop||Status||acknowledged => resolved|
|2006-04-09 11:52||syzop||Fixed in Version||=> 3.2.5|
|2006-04-09 11:52||syzop||Resolution||open => fixed|
|2006-04-09 11:52||syzop||Assigned To||=> syzop|
|2006-04-09 11:52||syzop||Note Added: 0011492|