Changeset 2b76a9c in mod_gnutls


Ignore:
Timestamp:
Jan 29, 2013, 3:41:38 PM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, upstream
Children:
b8df283
Parents:
303dc6e
git-author:
Daniel Kahn Gillmor <dkg@…> (01/25/13 06:36:51)
git-committer:
Daniel Kahn Gillmor <dkg@…> (01/29/13 15:41:38)
Message:

X.509 certificates are ordered EE first (see https://tools.ietf.org/html/rfc5246#page-48)

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • docs/mod_gnutls_manual-0.1.html

    r303dc6e r2b76a9c  
    149149                server config, virtual host<br />
    150150            </div>       
    151             <p>Takes an absolute or relative path to a PEM Encoded Certificate to use as this Server's Certificate.</p>
     151            <p>Takes an absolute or relative path to a PEM-encoded
     152            X.509 certificate to use as this Server's End Entity (EE)
     153            certificate. If you need to supply certificates for
     154            intermediate Certificate Authorities (iCAs), they should
     155            be listed in sequence in the file, from EE to the iCA
     156            closest to the root CA.  Optionally, you can also include
     157            the root CA's certificate as the last certificate in the
     158            list.</p>
    152159            <h4>GnuTLSKeyFile</h4>
    153160            <div class="directive">
  • src/gnutls_hooks.c

    r303dc6e r2b76a9c  
    382382#endif
    383383
    384         if (sc->certs_x509_chain == NULL && sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
     384        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
     385            sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
    385386                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    386387                                                "[GnuTLS] - Host '%s:%d' is missing a Certificate File!",
     
    389390        }
    390391
    391         if (sc->enabled == GNUTLS_ENABLED_TRUE && ((sc->certs_x509_chain != NULL && sc->privkey_x509 == NULL) || (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
     392        if (sc->enabled == GNUTLS_ENABLED_TRUE &&
     393            ((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
     394             (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
    392395                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    393396                                                "[GnuTLS] - Host '%s:%d' is missing a Private Key File!",
     
    397400
    398401        if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    399             rv = read_crt_cn(s, p, sc->certs_x509_chain[sc->certs_x509_chain_num-1], &sc->cert_cn);
     402            rv = -1;
     403            if (sc->certs_x509_chain_num > 0) {
     404                rv = read_crt_cn(s, p, sc->certs_x509_chain[0], &sc->cert_cn);
     405            }
    400406            if (rv < 0 && sc->cert_pgp != NULL) {
    401407                rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
     
    547553    }
    548554   
    549         int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[tsc->certs_x509_chain_num-1], s->server_hostname);
     555        int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[0], s->server_hostname);
    550556    if (0 == ret)
    551557        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
     
    754760
    755761    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    756                 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[ctxt->sc->certs_x509_chain_num], 0);
     762                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
    757763        } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    758764        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
Note: See TracChangeset for help on using the changeset viewer.