Article delegate-en/3346 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3316@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Patch to allow certificate chains (Was: How do I include CA Certificat Chain?)
30 Jun 2006 14:13:20 GMT Deliv <p6qgabdyi-6rjyzcn5j63r.ml@ml.delegate.org>


Since no one answered me, I wiped up a patch to allow a full ceritifcate 
chain to be included into the server certificate.pem file.
Simply make sure that your certificate file contains the certificates 
needed to get to a valid CA in the browser/client you intend to use.
If you want to try it, ipsca.com gives you a certificate for free for 90 
days :)
I havn't coded C for a LONG time, so bare with the crude implementation 
if you need it.

Regards Devli

--- PATCH --

*** ../orig-pre7/filters/sslway.c       Wed Jun  7 04:07:42 2006
--- filters/sslway.c    Fri Jun 30 07:54:34 2006
***************
*** 222,223 ****
--- 222,227 ----
  int  SSL_CTX_use_certificate_file(SSL_CTX *ctx,PCStr(file), int type);
+ int  SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
+ /* Using void* instead of STACK_OF(X509_NAME) to avoid mess.. */
+ void *SSL_load_client_CA_file(const char *file);/*OPT(0)*/
+ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, void *list);/*OPT(0)*/
 
***************
*** 1052,1054 ****
        getcwd(cwd,sizeof(cwd));
!       if( SSL_CTX_use_certificate_file(ctx,certfile,SSL_FILETYPE_PEM) ){
                DEBUG("certfile loaded: %s",certfile);
--- 1056,1058 ----
        getcwd(cwd,sizeof(cwd));
!       if( SSL_CTX_use_certificate_chain_file(ctx,certfile) ){
                DEBUG("certfile loaded: %s",certfile);
***************
*** 1058,1059 ****
--- 1062,1064 ----
        }
+       SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(certfile));
        if( SSL_CTX_use_RSAPrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM) ){

deliv wrote:
> Hi,
> I have a real key, real certificate, BUT.. to get it working I need to
> install a "ca certificate bundle" according to the CA provider.
> Now my question, how the heck do I include this certificate's (the
> bundle is 2 certificates).
>
> CA Provider: ipsca.com
> info regarding ca bundle installation:
> http://certs.ipsca.com/Support/CSRApache-MOD-SSL.asp
> The bundle: http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.crt
>
> I hope this is possible with delegate, since ipsca is rather cheep for
> real certificates (3 months free...)
>
> Regards
> /Deliv
>
>   


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V