View Issue Details

IDProjectCategoryView StatusLast Update
0002848unrealircdpublic2006-04-09 11:52
Reporterjustdave Assigned Tosyzop  
PrioritynormalSeveritytweakReproducibilityalways
Status resolvedResolutionfixed 
Platformi386OSLinuxOS Version2.6
Product Version3.2.4 
Fixed in Version3.2.5 
Summary0002848: Unreal should support chained SSL certificates
DescriptionSituation:
globally accepted certificate authority has certified another certificate authority for signing SSL certificates. The certificate authority that everyone has in their root cert databases has signed the second authority's root cert with theirs, with signing rights granted. The second authority then signs our certificate.

This is called a chained SSL certificate. Every SSL client I've ever seen can deal with them, however, they usually take a little additional setup on the server end to make it work, and this is where I'm getting stuck with Unreal3.2.4.

We operate several large websites with SSL certificates signed by this same vendor. In Apache, there is a separate configuration option for a certificate chain file. In some other applications (most notably mail servers) you can append the chain certificate onto the end of your own certificate, and it will Just Work.

I can't find any option in Unreal to configure a chain file, and the trick with appending it onto the end of the certificate doesn't seem to work either.

Basically, I have four certificates in my cert file. Ours, the vendor who signed ours, the vendor's root cert, and the CA who signed our vendor's cert. All four certificates have to be sent to the client for it to work. Unreal is only sending the first one.

I use
  openssl s_client -connect irc.mozilla.org:6697 \
    -CAfile /usr/share/ssl/certs/ca-bundle.crt
to test it, and can verify that when hitting one of our websites, all four certificates are in the output, but when hitting Unreal, only the first one is (which results in an "unable to verify first certificate" error in the client unless you tell it to accept invalid certificates).
Additional InformationExamining the OpenSSL docs and the Unreal source, I discovered that the way Unreal is initializing the certificate does indeed only import the first certificate in the certificate file. Making a one-line change to the SSL initialization code makes it properly handle the "append the chained cert onto the end of your server cert" method without breaking standard certificates. I have a patch.

SSL_CTX_use_certificate_file() is what's currently being used. This is documented to only load the first certificate in the file.

SSL_CTX_use_certificate_chain_file() does exactly the same thing, but loads every certificate in the file. However, it only allows PEM format certficiates, it won't do ASN1. In Unreal's case, this is irrelevant, because SSL_CTX_use_certificate_file() was hard-coded to request PEM format anyway.
TagsNo tags attached.
Attached Files
3rd party modules

Relationships

child of 0002748 closedsyzop 3.2.5 Release 

Activities

justdave

2006-03-11 01:52

reporter   ~0011345

err, apologies for the severity - this should be "feature". But now that it's there, I don't see a way to go back and change it.

syzop

2006-03-11 06:23

administrator   ~0011348

I see. I'll see if I can take a look at this later.
Thanks for the patch ;)

syzop

2006-04-09 11:52

administrator   ~0011492

This is now in CVS :)

Thanks!

Issue History

Date Modified Username Field Change
2006-03-11 01:50 justdave New Issue
2006-03-11 01:50 justdave File Added: unreal-ssl-chain.diff
2006-03-11 01:52 justdave Note Added: 0011345
2006-03-11 06:23 syzop Note Added: 0011348
2006-03-11 06:23 syzop Status new => acknowledged
2006-03-11 06:23 syzop Severity major => tweak
2006-04-02 16:50 syzop Relationship added child of 0002748
2006-04-09 11:52 syzop Status acknowledged => resolved
2006-04-09 11:52 syzop Fixed in Version => 3.2.5
2006-04-09 11:52 syzop Resolution open => fixed
2006-04-09 11:52 syzop Assigned To => syzop
2006-04-09 11:52 syzop Note Added: 0011492