ssl server doesn't send complete chain?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl server doesn't send complete chain?

Roger Lipscombe-2
I've got a TLS server written in Erlang, and I'm using a custom root
CA and intermediate CA. When I attempt to use the certfile option to
ssl, with the server cert and intermediate cert in the same file, the
server sends only the server cert to the client. It doesn't send the
intermediate CA.

I found a similar problem reported against VerneMQ, here:
https://github.com/vernemq/vernemq/issues/865

But if I use gnutls-serv with the same server.pem, that _does_ send
both certificates.

What am I missing?

I note that the cacertfile option is documented as

"Path to a file containing PEM-encoded CA certificates. The CA
certificates are used to build the server certificate chain and for
client authentication."

However, I want to use a completely separate certificate chain for
client authentication, which is why I'm not putting my server CA in
this list.

Cheers,
Roger.
Reply | Threaded
Open this post in threaded view
|

Re: ssl server doesn't send complete chain?

Ingela Andin
Hi that sounds like a feature request! A lot of the option handling is still pretty influenced by OpenSSL, as many of the options
where once upon a time options to OpenSSL.

Regards Ingela Erlang/OTP TeamĀ  Ericsson AB

Den fre 1 maj 2020 kl 17:47 skrev Roger Lipscombe <[hidden email]>:
I've got a TLS server written in Erlang, and I'm using a custom root
CA and intermediate CA. When I attempt to use the certfile option to
ssl, with the server cert and intermediate cert in the same file, the
server sends only the server cert to the client. It doesn't send the
intermediate CA.

I found a similar problem reported against VerneMQ, here:
https://github.com/vernemq/vernemq/issues/865

But if I use gnutls-serv with the same server.pem, that _does_ send
both certificates.

What am I missing?

I note that the cacertfile option is documented as

"Path to a file containing PEM-encoded CA certificates. The CA
certificates are used to build the server certificate chain and for
client authentication."

However, I want to use a completely separate certificate chain for
client authentication, which is why I'm not putting my server CA in
this list.

Cheers,
Roger.