Failed to set up mTLS sessions using certificate chain #417
Comments
|
Okay, I would say you are technically correct because of this description (although I am not sure what "configured" means here). I must have overlooked it and considered this subtree to set only the server certificate, with these certificate lists to supply all the CA certificates (even though, again, the description mentions its purpose and it does not include this one). So, I am not strictly against changing it as it is obviously incorrect now. However, we are in the process of a major update of libnetconf2 that will use a different API (SO version 3). And I would prefer to wait with any significant changes (I consider this one to be such a change) for the release of that update and keep the functionality as it is now. Would that be acceptable for you? Regarding the client TLS API, we are not following any standardized YANG modules there but I suppose the same change would make sense so I would either change none or both. |
|
To be clear, I used this code in the callhome server, Otherwise OK to wait |
michalvasko
added
the
status:wontfix
Hi Michal,
My certificate file (server_chain.pem) of the callhome server contains 2 certificates:
The root CA certificate is found in another file, server_root.pem.
My callhome server sends only the first certificate contained in server_chain.pem. So the verification failed at the peer, a physical device not based on libnetconf2.
Looking into session_server_tls.c, the following function is called:
SSL_CTX_use_certificate_file(tls_ctx, cert_path, SSL_FILETYPE_PEM)
I replaced it with
SSL_CTX_use_certificate_chain_file(tls_ctx, cert_path)
It works fine. I think that this fix could be compatible with the file which contains only one certificate, but I did not test it.
The same issue also exists in session_client_tls.c, where I also changed to
SSL_CTX_use_certificate_chain_file(opts->tls_ctx, opts->cert_path)
The text was updated successfully, but these errors were encountered: