Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL_CTX_use_certificate_chain_file for providing certificate chains #254

Closed
p-mongo opened this issue May 31, 2019 · 5 comments
Closed

Support SSL_CTX_use_certificate_chain_file for providing certificate chains #254

p-mongo opened this issue May 31, 2019 · 5 comments
Assignees
@ioquatix

Comments

@p-mongo
Copy link

p-mongo commented May 31, 2019
edited
Loading

Use case: providing certificates to servers where certificates are signed by intermediate certificates, not root CAs (root CA -> intermediate -> client cert).

ruby-openssl currently uses SSL_CTX_use_certificate_file to add a certificate file to the SSL context. This works when the certificate is signed directly by a CA specified in the CA file, but does not work when the client certificate is signed by an intermediate certificate which is signed by the CA certificate.

OpenSSL appears to provide SSL_CTX_use_certificate_chain_file method (https://linux.die.net/man/3/ssl_ctx_use_certificate_chain_file) which adds the entire certificate chain to the context. As far as I can tell ruby-openssl does not reference this method anywhere in the source. An argument to this method is path to a bundle file, i.e. file which sequentially contains the client certificate and any intermediate certificates needed to get to the root CA cert.

One possible workaround to use certificates signed by intermediate certs is to take the bundle file, split it manually in the application into the separate certificates, and then use extra_chain_cert option on the context to add the intermediate certificates to the context. This is done in venuenext/ruby-kafka@9495f5d (zendesk/ruby-kafka#633) for ruby-kafka. However, manually splitting certificate bundle files seems error prone, especially given that OpenSSL natively can handle the bundles.

Is there a way to directly pass a certificate bundle to ruby-openssl such that the bundle will then be sent to the server during TLS handshake, and if not, can support for SSL_CTX_use_certificate_chain_file be added please?
@ioquatix
Copy link
Member

I also want this.

ioquatix added a commit that referenced this issue Jun 13, 2019
@ioquatix
Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.
46e4bdb
@ioquatix ioquatix self-assigned this Jun 13, 2019
@ioquatix
Copy link
Member

We should add some specs/tests for this.

@ioquatix
Copy link
Member

I've added a very basic test 10afb35

@ioquatix
Copy link
Member

I'm playing around with this too:

module OpenSSL::X509
	CERTIFICATE_PATTERN = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
	
	def self.load_certificates(path)
		File.read(path).scan(CERTIFICATE_PATTERN).collect do |text|
			Certificate.new(text)
		end
	end
end

@p-mongo
Copy link
Author

p-mongo commented Jun 13, 2019
edited
Loading

Thank you!

Our current workaround: mongodb/mongo-ruby-driver@1f64d64#diff-ed625ecdabf4aeff5d1a5fc04b958a3a

rhenium added a commit to rhenium/ruby-openssl that referenced this issue May 13, 2020
@rhenium
ssl: temporarily remove SSLContext#add_certificate_chain_file
ea92561 
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.

My comment on ruby#257:

> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdb was not really
> useful. The issue is described in ruby#305. ruby#309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by ruby#320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is ruby#288, and
> it's still cooking.

This effectively reverts the following commits:

 - dacd089 ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
 - 46e4bdb ("Add support for SSL_CTX_use_certificate_chain_file. Fixes ruby#254.", 2019-06-13)
@rhenium rhenium mentioned this issue May 19, 2021
Merged
@github-actions github-actions bot mentioned this issue Apr 10, 2024
Merged
@github-actions github-actions bot mentioned this issue May 5, 2024
Merged
@github-actions github-actions bot mentioned this issue May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ioquatix ioquatix

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ioquatix @p-mongo