mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
SSL_CTX_use_certificate_chain_file() should be used instead of the
SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage. Thanks Daniel Kahn Gillmore git-svn-id: file:///svn/unbound/trunk@3451 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
54ad544e69
commit
fa20564699
@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
|
||||
goto setup_error;
|
||||
}
|
||||
verbose(VERB_ALGO, "setup SSL certificates");
|
||||
if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
|
||||
if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
|
||||
log_err("Error for server-cert-file: %s", s_cert);
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
|
||||
goto setup_error;
|
||||
}
|
||||
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
||||
|
@ -1,3 +1,7 @@
|
||||
18 July 2015: Willem
|
||||
- Allow certificate chain files to allow for intermediate certificates.
|
||||
(thanks Daniel Kahn Gillmor)
|
||||
|
||||
13 July 2015: Wouter
|
||||
- makedist produces sha1 and sha256 files for created binaries too.
|
||||
|
||||
|
@ -161,7 +161,7 @@ setup_ctx(struct config_file* cfg)
|
||||
if(cfg->remote_control_use_cert) {
|
||||
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
|
||||
ssl_err("could not set SSL_OP_NO_SSLv3");
|
||||
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
|
||||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|
||||
|| !SSL_CTX_check_private_key(ctx))
|
||||
ssl_err("Error setting up SSL_CTX client key and cert");
|
||||
|
@ -236,7 +236,7 @@ setup_ctx(char* key, char* cert)
|
||||
if(!ctx) print_exit("out of memory");
|
||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
||||
(void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
|
||||
if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, cert))
|
||||
print_exit("cannot read cert");
|
||||
if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
|
||||
print_exit("cannot read key");
|
||||
|
@ -629,9 +629,9 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error for cert file: %s", pem);
|
||||
log_crypto_err("error in SSL_CTX use_certificate_file");
|
||||
log_crypto_err("error in SSL_CTX use_certificate_chain_file");
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
@ -684,7 +684,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
|
||||
return NULL;
|
||||
}
|
||||
if(key && key[0]) {
|
||||
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
|
||||
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
|
||||
log_err("error in client certificate %s", pem);
|
||||
log_crypto_err("error in certificate file");
|
||||
SSL_CTX_free(ctx);
|
||||
|
Loading…
Reference in New Issue
Block a user