Hello,
I'm trying to configure OpenBSD 5.7 httpd with tls with
intermediate/chain certificate without no success.
my httpd.conf:
server "default" {
listen on 10.11.0.200 tls port 443
tls {
certificate "/etc/ssl/server-unified.pem"
key "/etc/ssl/private/server.key"
}
root "/htdocs/default"
}
types {
include "/usr/share/misc/mime.types"
}
My certificate is intermediate/chain certificate. That mean I need to
supply "next level" certificate that is between my certificate and CA.
I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm: sha256WithRSAEncryption)
cat server.pem sub.class2.server.ca.pem ca-sha2.pem >
/etc/ssl/server-unified.pem
server-unified.pem looks like:
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate: sub.class2.server.ca.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate: ca-sha2.pem)
-----END CERTIFICATE-----
Certificate and key installed in default locations:
# ls -alh /etc/ssl/private/server.key
-r-------- 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem
I try to test using openssl s_client:
michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(00000003)
GET / HTTP/1.0
httpd log:
# httpd -dvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default
there is no "server_tls_init"
nothing apears when started openssl s_client command
^Clogger exiting, pid 20328
server exiting, pid 17109
server exiting, pid 6140
server exiting, pid 16603
parent terminating, pid 11859
I tested combinations with unified certificate like:
cat server.pem sub.class2.server.ca.pem > /etc/ssl/server-unified.pem
cat ca-sha2.pem sub.class2.server.ca.pem server.pem >
/etc/ssl/server-unified.pem
cat sub.class2.server.ca.pem server.pem > /etc/ssl/server-unified.pem
but situation is always as described above.
When I try to change in config file "tls certificate" to:
tls certificate "/etc/ssl/server.pem"
where server.pem is PEM format file certificate from my CA (there is no
entire SSL certificate trust chain) and start httpd:
# httpd -dvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_tls_init: setting up TLS for default
server_launch: running server default
server_tls_init: setting up TLS for default
server_tls_init: setting up TLS for default
server_launch: running server default
server_launch: running server default
server_launch: running server default
default 10.11.0.100 - - [14/May/2015:14:07:50 +0200] "GET / HTTP/1.0" 200 7
server default, client 1 (1 active), 10.11.0.100:52805 ->
10.11.0.200:443, done
^Clogger exiting, pid 5930
server exiting, pid 19884
server exiting, pid 26372
server exiting, pid 14384
parent terminating, pid 22451
I try to test using openssl s_client like before:
michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(00000003)
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PL, ST = Mazowieckie, L = Warszawa, O = XXX, CN = XXX,
emailAddress = XXX
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
subject=/C=PL/ST=Mazowieckie/L=Warszawa/O=XXX/CN=XXX/emailAddress=XXX
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4020 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 8192 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
763361AC6825A838E0FE8782F8FE20DF048536FECC20530E16003132C5BEDB66
Session-ID-ctx:
Master-Key:
39DCA8F06FE62896A75D1D4B8C961D5FB4E5B50238A59C7AB21DB33C63723AFF0C93D099064D37419FD385B7EEC1573C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - aa 00 6c 87 f7 97 38 fa-ee 44 db 0f 35 44 eb b6 ..l...8..D..5D..
0010 - d6 51 6d bb 20 5a b4 d1-9d 09 59 69 4b a8 84 dd .Qm.
Z....YiK...
0020 - fb 0b 56 ca 16 be 77 ed-f5 14 85 69 f8 f1 a2 a2 ..V...w....i....
0030 - 93 d3 a0 85 46 d4 f5 1e-75 40 26 ad aa 1e fc 4d ....F...u@&....M
0040 - 55 78 bc 1b cb fc 27 64-f1 12 82 e1 02 49 d7 61 Ux....'d.....I.a
0050 - 12 9d 13 9a d5 b8 97 84-e3 ed 09 96 ba e5 1c 14 ................
0060 - dd 6f 84 d7 ee 71 5c 07-4c cc c8 3a 33 f1 c4 c4 .o...q\.L..:3...
0070 - ae fe ba bc 9d d5 86 a2-11 04 fd ec 2f ff 55 89 ............/.U.
0080 - b6 c2 97 5d a1 53 34 07-c5 2c 51 12 8a 7a 84 1f ...].S4..,Q..z..
0090 - 2e 4c 83 54 e9 a0 f4 ab-6c bf 6a 75 f4 96 5e 8c .L.T....l.ju..^.
00a0 - da 3f 47 b7 d9 87 f7 0d-39 54 e6 90 11 ac a8 e3 .?G.....9T......
00b0 - c1 39 b7 4a b9 5c 64 71-dc 83 99 d2 c9 07 cf eb .9.J.\dq........
Start Time: 1431605259
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
HTTP/1.0 200 OK
Connection: close
Content-Length: 7
Content-Type: text/html
Date: Thu, 14 May 2015 12:07:50 GMT
Last-Modified: Wed, 13 May 2015 17:29:26 GMT
Server: OpenBSD httpd
devcat
read:errno=0
Unfortunately I did not find answer in mailing list / google.
BTW. I have same situation with httpd in OpenBSD 5.6 stable (there is
only change in config file ssl [5.6] --> tls [5.7]).
Any ideas on what I'm doing wrong? How to start TLS server with
chain/intermediate certificate? Thanks for your help!
Best Regards,
Michal Lesniewski
