New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wolfssl: Allow use of certificate chain #12634
Conversation
Please elaborate on what this change does and why we want it! Why does the type of the certificate change what function to call? |
|
It's probably ok. It's similar to what we do for client certs when using OpenSSL, see here. I say probably because I don't know if wolfSSL_CTX_use_certificate_chain_file has exactly the same behavior as OpenSSL. OpenSSL's SSL_CTX_use_certificate_chain_file apparently has an undocumented parsing that allows private keys in the chain file but wolfSSL may not; I found this bug when searching but it's several years old. |
Use of this function is the solution suggested by wolfSSL engineers. However, I would like to offer this slightly cleaned up alternative take: diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 5250e091b..a3c017cea 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -581,24 +581,29 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
/* Load the client certificate, and private key */
if(ssl_config->primary.clientcert && ssl_config->key) {
int file_type = do_file_type(ssl_config->cert_type);
- if(file_type == WOLFSSL_FILETYPE_PEM &&
- wolfSSL_CTX_use_certificate_chain_file(backend->ctx,
- ssl_config->primary.clientcert) != 1) {
- failf(data, "unable to use client certificate (no key or wrong pass"
- " phrase?)");
- return CURLE_SSL_CONNECT_ERROR;
+ if(file_type == WOLFSSL_FILETYPE_PEM) {
+ if(wolfSSL_CTX_use_certificate_chain_file(backend->ctx,
+ ssl_config->primary.clientcert)
+ != 1) {
+ failf(data, "unable to use client certificate");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
}
- else if(file_type == WOLFSSL_FILETYPE_ASN1 &&
- wolfSSL_CTX_use_certificate_file(backend->ctx,
- ssl_config->primary.clientcert,
- file_type) != 1) {
- failf(data, "unable to use client certificate (no key or wrong pass"
- " phrase?)");
- return CURLE_SSL_CONNECT_ERROR;
+ else if(file_type == WOLFSSL_FILETYPE_ASN1) {
+ if(wolfSSL_CTX_use_certificate_file(backend->ctx,
+ ssl_config->primary.clientcert,
+ file_type) != 1) {
+ failf(data, "unable to use client certificate");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+ else {
+ failf(data, "unknown cert type");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
}
file_type = do_file_type(ssl_config->key_type);
if(wolfSSL_CTX_use_PrivateKey_file(backend->ctx, ssl_config->key,
file_type) != 1) { |
That looks fine as well. |
Yes that looks good to me |
Thanks! |
Fixes ZD#17158.
Customer is using a certificate chain. Leaf cert + intermediate cert.