Chained certificates and uw-imapd (using OpenSSL)

David Luyer Thu, 29 May 2003 20:23:45 -0700

Hello,

I'm having a problem trying to get a chained certificate to work with
uw-imapd.  It works fine with apache-ssl and apache + mod_ssl.
On uw-imapd (which uses openssl) it fails as the CA certificate is
not presented (so the mail client gives a warning), or if I try and
present it OpenSSL rejects the key (and imapd completely fails).


Basically I have:

  * The CA 'bundle' (certificate) -- 'bundle.pem'
  * The certificate - 'wildcard.crt'
  * The RSA private key - 'wildcard.key'
  * The certificate + key together - 'wildcard.pem'

Using apache-ssl I do:

SSLCACertificateFile /etc/apache-ssl/bundle.pem
SSLCertificateFile /etc/apache-ssl/wildcard.pem

Using mod-ssl I do:

SSLCACertificateFile /etc/apache/bundle.pem
SSLCertificateFile /etc/apache/wildcard.crt
SSLCertificateKeyFile /etc/apache/wildcard.key

uw-imapd does the following (ignoring support for per-IP certs):

  * by default:

      tmp=/etc/ssl/certs/imapd.pem

      SSL_CTX_use_certificate_chain_file (stream->context,tmp)
      SSL_CTX_use_RSAPrivateKey_file (stream->context,tmp,SSL_FILETYPE_PEM)

  * on debian:

      tmpcrt=/etc/ssl/certs/imapd.pem
      tmpkey=/etc/ssl/private/imapd.pem [if it exists, else use tmpcrt]

      SSL_CTX_use_certificate_chain_file (stream->context,tmpcrt)
      SSL_CTX_use_RSAPrivateKey_file
(stream->context,tmpkey,SSL_FILETYPE_PEM)

If I put the certificate from bundle.pem into the wildcard.pem, then the
SSL_CTX_use_RSAPrivateKey_file fails, even if I only put it into the
one used in the use_certificate_chain_file and not the one in the
use_RSAPrivateKey_file (by using the two separate files).

The error is:

  SSL error status: error:0B080074:x509 certificate
routines:X509_check_private_key:key values misma

What I expected/hoped to work was one of either:

/etc/ssl/certs/imapd.pem:
-----BEGIN CERTIFICATE-----
(bundle.pem cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(wildcard.pem cert)
-----END CERTIFICATE-----

/etc/ssl/private/imapd.pem:
-----BEGIN CERTIFICATE-----
(wildcard.pem cert)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(wildcard.pem key)
-----END RSA PRIVATE KEY-----

OR

/etc/ssl/certs:
-----BEGIN CERTIFICATE-----
(bundle.pem cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(wildcard.pem cert)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(wildcard.pem key)
-----END RSA PRIVATE KEY-----

However, both of these fail as above.

Am I going to have to modify the way uw-imapd uses OpenSSL to handle
the chained certificate, or am I putting the wrong thing in the PEM
files?

David.
--
David Luyer                                     Phone:   +61 3 9674 7525
Network Development Manager    P A C I F I C    Fax:     +61 3 9698 4825
Pacific Internet (Australia)  I N T E R N E T   Mobile:  +61 4 1111 BYTE
http://www.pacific.net.au/                      NASDAQ:  PCNTF

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Chained certificates and uw-imapd (using OpenSSL)

Reply via email to