Hi all,
Whilst this is my first post to the mailing list I have been subscribed for a
while now, as I've been compiling against OpenSSL both professionally, at work,
and with my Open Source development in libcurl for the last 3 and half years
now ;-)
Our SSL code, at work, is used in our application's embedded webserver whilst
curl/libcurl (is as I'm sure lot of people here are aware of) is a client side
tool/library for transfering data with URL syntax.
Anyway, the nature of my query is server side related as it is in regards to
the loading of certificates and the HTTPS layer in our webserver...
I am using SSL_CTX_use_certificate_chain_file() to load or a PEM based
certificate file that may contain a single self signed server cert (for
example) but may instead contain a CA generated cert and the appropriate
intermediate certs (depending on the client installation).
In this instance I am using OpenSSL v1.0.1j with a single self signed server
cert (generated by using the OpenSSL v1.0.1g command line tool) and am finding
that the call to SSL_CTX_use_certificate_chain_file() is returning zero, even
those the load appears to be successful. In fact if I ignore the return code or
check the error stack and continue then our webserver works as it should and
the certificate details can be seen in IE and Chrome for example ;-)
If I use SSL_CTX_use_certificate_file() instead, all is well as well, as this
function returns 1 (as expected) - whilst that works for a single cert it won't
work for a chain :(
This problem happens under both Windows and RHEL / Centos Linux - so I don't
believe this is OS related.
I have built a debug version of the OpenSSL DLLs for use with our app and found
that the problem lies with the following code from line 770 of ssl_rsa.c:
/* When the while loop ends, it's usually just EOF. */
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) ==
PEM_R_NO_START_LINE)
ERR_clear_error();
else
ret = 0; /* some real error */
ERR_peek_last_error() is returning zero which is then causing
SSL_CTX_use_certificate_chain_file() to also return zero due to the "ret = 0".
As the file only contains the server cert the while loop above this section of
code has called PEM_read_bio_X509() which itself has returned NULL which then
means the call to SSL_CTX_add_extra_chain_cert() isn't executed - all as
expected.
However, if my understanding of ERR_peek_last_error() is correct there is no
error code on the error stack rather than a EOF error being returned as the
comments in the code would indicate.
As such:
* Is there a problem with my certificate - does it need extra blank lines or
anything to force the EOF detection to succeed?
* Is there a setting I need to make on the CTX that I might of missed? I
believe our code used to work when we were running against v0.9.8 and v1.0.0.
* Is there a bug in SSL_CTX_use_certificate() - the last call to succeed - or
even PEM_read_bio_X509() that should be setting the EOF error code?
* Should the code in SSL_CTX_use_certificate_chain_file() be checking for zero
return balue from ERR_peek_last_error() - somthing like:
/* When the while loop ends, it's usually just EOF. */
err = ERR_peek_last_error();
if(err)
{
if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) ==
PEM_R_NO_START_LINE)
ERR_clear_error();
else
ret = 0; /* some real error */
}
Many thanks in advance.
Kind Regards
Steve
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
