New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set certificate_chain from X509 object #7296

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
4 participants
@bararchy
Copy link
Contributor

bararchy commented Jan 10, 2019

No description provided.

@bararchy bararchy changed the title Set certificate_chain from memory object Set certificate_chain from X509 object Jan 10, 2019

@bararchy

This comment has been minimized.

Copy link
Contributor

bararchy commented Jan 10, 2019

This fails for me too with SSL_CTX_use_certificate: error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm (OpenSSL::Error) But looking at the docs I don't see why.

@RX14 @jhass @asterite @straight-shoota any idea?

docs at: https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html

@bararchy

This comment has been minimized.

Copy link
Contributor

bararchy commented Jan 13, 2019

This seems to be a dead end, I can't make this work.
Dropping it until I manage to figure how it should behave.

@bararchy bararchy closed this Jan 13, 2019

@asterite

This comment has been minimized.

Copy link
Contributor

asterite commented Jan 13, 2019

Does this work in Ruby? Sorry, I didn't have time to look at this.

@bararchy

This comment has been minimized.

Copy link
Contributor

bararchy commented Jan 13, 2019

@asterite Ruby has a way to add a Certificate object directly to context, yes.
https://docs.ruby-lang.org/en/2.6.0/OpenSSL/SSL/SSLContext.html#method-i-add_certificate

(as in, not only from file)

@bararchy

This comment has been minimized.

Copy link
Contributor

bararchy commented Jan 13, 2019

@asterite seems like it works in Ruby

require "openssl"
=> true
cert = OpenSSL::X509::Certificate.new
=> #<OpenSSL::X509::Certificate
 subject=#<OpenSSL::X509::Name >,
 issuer=#<OpenSSL::X509::Name >,
 serial=#<OpenSSL::BN 0>,
 not_before=nil,
 not_after=nil>
context = OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x00005587e589ef00>
context.cert = cert
=> #<OpenSSL::X509::Certificate
 subject=#<OpenSSL::X509::Name >,
 issuer=#<OpenSSL::X509::Name >,
 serial=#<OpenSSL::BN 0>,
 not_before=nil,
 not_after=nil>

Ruby source:

   if (!SSL_CTX_use_certificate(ctx, x509)) {
        sk_X509_pop_free(extra_chain, X509_free);
        ossl_raise(eSSLError, "SSL_CTX_use_certificate");
    }

https://ruby-doc.org/stdlib-2.6/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#attribute-i-cert

@bararchy bararchy reopened this Jan 13, 2019

@ysbaddaden

This comment has been minimized.

Copy link
Member

ysbaddaden commented Jan 13, 2019

It's possible that we don't initialize the X509 certificate correctly. What if you extract one from the cert file, then try to set it?

@bararchy

This comment has been minimized.

Copy link
Contributor

bararchy commented Jan 13, 2019

@ysbaddaden we currently have no way to initiate a new X509 object from cert file, only setup SSL::Context from it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment