[ejabberd] Re: SSL/TLS with ICA

Jaco Kroon jaco at kroon.co.za
Tue Dec 19 21:38:48 MSK 2006


Sorry about breaking anybodies threads, I only just subscribed and thus
cannot respond directly to the message at

SSL/TLS is actually a relatively basic protocol.  It relies on "chains" of
authority, and the certificates that are being issued are third-level
certificates.  The only certificate that should be installed on the client
is the root ca certicate, or the first level certificate.  As such only
the root CA cert should be in the file passed to -CAfile, not the entire
chain or OpenSSL will treat all those files as first-level CAs.  Whilst
this does no harm it is impossible to expect everybody to install every
possible second or even third (and I've seen depths of 6) level CA
certificate.  There are simply too many.

So instead the SSL/TLS server, as mentioned in the previous post, needs to
provide all but the root CA certificate (optionally it may also provide
that certificate, this much is made explicit in the RFC, and the oreilly
book has it correct).

So permitting the only certificate in the file usherchain was the root CA
file then the given s_client session in the previous post is correct.  The
patch looks good, except I'd recommend to also update the error message
just beneath the changed line to also reflect the function call change.

It should be noted that use_certificate_chain_file _REQUIRES_ that the
file be in PEM format (The way in which ejabberd was using it already made
this assumption so this won't be a problem), it is also possible to encode
the entire chain using DER format, however I'm not sure how one would go
about loading that into OpenSSL (I suspect one may need to use
use_certificate_file again - the DER encoding indicates whether a single
certificate is contained or whether there are multiple certificates).

Just applied to tlug.up.ac.za and the patch does indeed function
correctly, by simply appending the intermediate certificate to the file
the entire chain is properly passed to the client.


More information about the ejabberd mailing list