Changeset 2b76a9c in mod_gnutls

Timestamp:

Jan 29, 2013, 3:41:38 PM (9 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream

Children:

b8df283

Parents:

303dc6e

git-author:

Daniel Kahn Gillmor <dkg@…> (01/25/13 06:36:51)

git-committer:

Daniel Kahn Gillmor <dkg@…> (01/29/13 15:41:38)

Message:

X.509 certificates are ordered EE first (see ​https://tools.ietf.org/html/rfc5246#page-48)

Files:

• docs/mod_gnutls_manual-0.1.html (modified) (1 diff)
• src/gnutls_hooks.c (modified) (5 diffs)

docs/mod_gnutls_manual-0.1.html

@@ -149 +149 @@
                 server config, virtual host<br />
             </div>        
-            <p>Takes an absolute or relative path to a PEM Encoded Certificate to use as this Server's Certificate.</p>
+            <p>Takes an absolute or relative path to a PEM-encoded
+            X.509 certificate to use as this Server's End Entity (EE)
+            certificate. If you need to supply certificates for
+            intermediate Certificate Authorities (iCAs), they should
+            be listed in sequence in the file, from EE to the iCA
+            closest to the root CA.  Optionally, you can also include
+            the root CA's certificate as the last certificate in the
+            list.</p>
             <h4>GnuTLSKeyFile</h4>
             <div class="directive">

src/gnutls_hooks.c

@@ -382 +382 @@
 #endif
 
-        if (sc->certs_x509_chain == NULL && sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
+        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
+            sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
                                                 "[GnuTLS] - Host '%s:%d' is missing a Certificate File!", 
@@ -389 +390 @@
         }
 
-        if (sc->enabled == GNUTLS_ENABLED_TRUE && ((sc->certs_x509_chain != NULL && sc->privkey_x509 == NULL) || (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
+        if (sc->enabled == GNUTLS_ENABLED_TRUE &&
+            ((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
+             (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
                         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 
                                                 "[GnuTLS] - Host '%s:%d' is missing a Private Key File!", 
@@ -397 +400 @@
 
         if (sc->enabled == GNUTLS_ENABLED_TRUE) {
-            rv = read_crt_cn(s, p, sc->certs_x509_chain[sc->certs_x509_chain_num-1], &sc->cert_cn);
+            rv = -1;
+            if (sc->certs_x509_chain_num > 0) {
+                rv = read_crt_cn(s, p, sc->certs_x509_chain[0], &sc->cert_cn);
+            }
             if (rv < 0 && sc->cert_pgp != NULL) { 
                 rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
@@ -547 +553 @@
     }
    
-        int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[tsc->certs_x509_chain_num-1], s->server_hostname);
+        int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[0], s->server_hostname);
     if (0 == ret)
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
@@ -754 +760 @@
 
     if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
-                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[ctxt->sc->certs_x509_chain_num], 0);
+                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
         } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
         mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);