Enable auto_chain. Fixes #1330

FreeRADIUS · Oct 20, 2015 · e60a954 · e60a954
1 parent 4307283
commit e60a954
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
@@ -200,6 +200,15 @@ eap {
 		#
 		ca_file = ${cadir}/ca.pem
 
+	 	#  OpenSSL will automatically create certificate chains,
+	 	#  unless we tell it to not do that.  The problem is that
+	 	#  it sometimes gets the chains right from a certificate
+	 	#  signature view, but wrong from the clients view.
+		#
+		#  When setting "auto_chain = no", the server certificate
+		#  file MUST include the full certificate chain.
+	#	auto_chain = yes
+
 		#
 		#  If OpenSSL supports TLS-PSK, then we can use
 		#  a PSK identity and (hex) password.  When the
@@ -264,6 +273,7 @@ eap {
 		#
 	#	include_length = yes
 
+
 		#  Check the Certificate Revocation List
 		#
 		#  1) Copy CA certificates and CRLs to same directory.

diff --git a/src/include/tls-h b/src/include/tls-h
@@ -357,6 +357,7 @@ struct fr_tls_server_conf_t {
 	uint32_t	verify_depth;
 	bool		file_type;
 	bool		include_length;
+	bool		auto_chain;
 	bool		disable_tlsv1;
 	bool		disable_tlsv1_1;
 	bool		disable_tlsv1_2;

diff --git a/src/main/tls.c b/src/main/tls.c
@@ -1127,6 +1127,7 @@ static CONF_PARSER tls_server_config[] = {
 	{ FR_CONF_OFFSET("random_file", PW_TYPE_STRING, fr_tls_server_conf_t, random_file) },
 	{ FR_CONF_OFFSET("fragment_size", PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), .dflt = "1024" },
 	{ FR_CONF_OFFSET("include_length", PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), .dflt = "yes" },
+	{ FR_CONF_OFFSET("auto_chain", PW_TYPE_BOOLEAN, fr_tls_server_conf_t, auto_chain), .dflt = "yes" },
 	{ FR_CONF_OFFSET("check_crl", PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), .dflt = "no" },
 #ifdef X509_V_FLAG_CRL_CHECK_ALL
 	{ FR_CONF_OFFSET("check_all_crl", PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), .dflt = "no" },
@@ -2935,6 +2936,16 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client)
 #endif
 #endif
 
+	/*
+	 *	OpenSSL will automatically create certificate chains,
+	 *	unless we tell it to not do that.  The problem is that
+	 *	it sometimes gets the chains right from a certificate
+	 *	signature view, but wrong from the clients view.
+	 */
+	if (!conf->auto_chain) {
+		SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
+	}
+
 	/* Set Info callback */
 	SSL_CTX_set_info_callback(ctx, cbtls_info);