Am 12.02.2017 um 12:04 schrieb Michael Ströder:
sca+openldap@andreasschulze.de wrote:
as discussed on the technical ML it's uncommon to put chain certificates in TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like "Let's Encrypt Authority X3" it may be wrong becaus the user is forced to /TRUST/ that intermediate for a unrelated purpose.
We should be more precise here - especially regarding the term "user".
agree
IMO it is common to put the whole CA cert chain in the cert configuration of a TLS server. This is required so that the TLS *client* only has to know the root CA cert (trust anchor) and the TLS server sends the intermediate certs. Note that some TLS implementations like GnuTLS require the CA cert chain to be "in order" (bottom-up).
As I don't use GnuTLS I can't tell something about it's internals
The real issue here is that TLSCACertificateFile and TLSCACertificatePath are also used to specify the set of trusted CA certs to validate TLS client certs used by the TLS client to authenticate.
correct. That's also what "man 3 SSL_CTX_use_certificate" mention.
So I'm not sure whether your patch breaks the use-case of having more than one trusted root CA cert for validating TLS client certs issued by independent CAs.
I may imagine a setup with RSA and EC certificates. Two certs are more complex then one. But if an admin decide to use diferent CAs it's his decision for more complexity
I think we might need different directives for trusted CA certs for client cert validation and the server cert chain (similar what's done on Apache mod_ssl with SSLCertificateChainFile and SSLCACertificateFile/SSLCACertificatePath).
also: I don't us apache, can't tell if that way is is the best. Postfix,dovecot, nginx for example don't require a "SSLCertificateChainFile" directive.
It could be sufficient to simply add the server CA cert chain to TLSCertificateFile and only add the trusted root CA certs to TLSCACertificateFile/TLSCACertificatePath (and no C code patch needed for that, maybe review/clarification of the docs).
that's what the patch try. currently I tried to add cert+chain to a file used as TLSCertificateFile The chain is ignored as expected and documented in "man 3 SSL_CTX_use_certificate_file" simply replacing SSL_CTX_use_certificate_file by SSL_CTX_use_certificate_chain_file fix that. I now can put cert+chain (excluding a root) ti the file used as TLSCertificateFile. as simple as it could be.
But: I'm aware there are other use cases that will break stuff, years old. So my ITS it more intended to point out a problem then simply changing openldap to my needs.
Andreas
-
sca@andreasschulze.de