[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8586) load cert+chain from TLSCertificateFile

Am 12.02.2017 um 12:04 schrieb Michael Ströder:
> sca+openldap@andreasschulze.de wrote:
>> as discussed on the technical ML it's uncommon to put chain certificates in
>> TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like
>> "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
>> /TRUST/ that intermediate for a unrelated purpose.
> We should be more precise here - especially regarding the term "user".

> IMO it is common to put the whole CA cert chain in the cert configuration of a TLS
> server. This is required so that the TLS *client* only has to know the root CA cert
> (trust anchor) and the TLS server sends the intermediate certs. Note that some TLS
> implementations like GnuTLS require the CA cert chain to be "in order" (bottom-up).
As I don't use GnuTLS I can't tell something about it's internals

> The real issue here is that TLSCACertificateFile and TLSCACertificatePath are also used
> to specify the set of trusted CA certs to validate TLS client certs used by the TLS
> client to authenticate.
correct. That's also what "man 3 SSL_CTX_use_certificate" mention.

> So I'm not sure whether your patch breaks the use-case of having more than one trusted
> root CA cert for validating TLS client certs issued by independent CAs.
I may imagine a setup with RSA and EC certificates. Two certs are more complex then one.
But if an admin decide to use diferent CAs it's his decision for more complexity
> I think we might need different directives for trusted CA certs for client cert
> validation and the server cert chain (similar what's done on Apache mod_ssl with
> SSLCertificateChainFile and SSLCACertificateFile/SSLCACertificatePath).
also: I don't us apache, can't tell if that way is is the best. Postfix,dovecot, nginx for example
don't require a "SSLCertificateChainFile" directive.

> It could be sufficient to simply add the server CA cert chain to TLSCertificateFile and
> only add the trusted root CA certs to TLSCACertificateFile/TLSCACertificatePath (and no C
> code patch needed for that, maybe review/clarification of the docs).
that's what the patch try. currently I tried to add cert+chain to a file used as TLSCertificateFile
The chain is ignored as expected and documented in "man 3 SSL_CTX_use_certificate_file"
simply replacing SSL_CTX_use_certificate_file by SSL_CTX_use_certificate_chain_file
fix that. I now can put cert+chain (excluding a root) ti the file used as TLSCertificateFile.
as simple as it could be.

But: I'm aware there are other use cases that will break stuff, years old.
So my ITS it more intended to point out a problem then simply changing openldap to my needs.