Postfix sets up RSA and DSA certs by calling:
/* RSA public and private keys */
SSL_CTX_use_certificate_chain_file(ctx, rsa_cert_file);
SSL_CTX_use_PrivateKey_file(ctx, rsa_key_file, SSL_FILETYPE_PEM);
/* DSA public and private keys */
SSL_CTX_use_certificate_chain_file(ctx, dsa_cert_file);
SSL_CTX_use_PrivateKey_file(ctx, dsa_key_file, SSL_FILETYPE_PEM);
I am adding support for ECDSA, and considering (a proposed simpler
user-interface in main.cf makes this more natural) changing the call
sequence to:
/* First all the public keys */
SSL_CTX_use_certificate_chain_file(ctx, rsa_cert_file);
SSL_CTX_use_certificate_chain_file(ctx, dsa_cert_file);
SSL_CTX_use_certificate_chain_file(ctx, ecdsa_cert_file);
/* Now all the private keys */
SSL_CTX_use_PrivateKey_file(ctx, rsa_key_file, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, dsa_key_file, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, ecdsa_key_file, SSL_FILETYPE_PEM);
The re-ordered call sequence works the same way given the library
implementation, but is this freedom part of the interface or just an
implementation accident? Am I required to interleave the public/private
key calls to avoid compatibility issues with future releases?
The 0.9.9 manpage for these functions still talks about supporting
only two certificate types, but three are supported now that ECDSA
is implemented, so the documentation is not entirely current.
Finally, it is not clear to me how SSL_CTX_use_certificate_chain_file()
interacts with multiple cert files/chains. Is this still the right interface
when RSA, DSA and ECDSA certs are all in play? I don't understand the intent
of the following text from SSL_CTX_use_certificate_chain_file(3):
SSL_CTX_use_certificate_chain_file() adds the first
certificate found in the file to the certificate store. The
other certificates are added to the store of chain certificates
using SSL_CTX_add_extra_chain_cert(3). There exists only one
extra chain store, so that the same chain is appended to both
types of certificates, RSA and DSA! If it is not intended to
use both type of certificate at the same time, it is recommended
to use the SSL_CTX_use_certificate_chain_file() instead of the
SSL_CTX_use_certificate_file() function in order to allow the use
of complete certificate chains even when no trusted CA storage
is used or when the CA issuing the certificate shall not be added
to the trusted CA storage.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
