Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 4.9.0, 4.4.6
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • v4.4
    • Security 2021-03-22
    • 10
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Say that a certificate chain is structured as such:

      server certificate -> intermediate certificate -> self signed root certificate 
      

      When the server is presented with certificates in this fashion:

      tlsCertificateKeyFile: server certificate -> intermediate certificate
      tlsCAFile: self signed root certificate
      

       The server is unable to staple an OCSP response because it is unable to build out the chain. The intermediate certificate is loaded into a different structure - not the X509 store for the SSL_CTX object. We need to fetch the intermediate certificate from an internal OpenSSL object and build out the chain when we start the OCSP stapling process.

              Assignee:
              Shreyas Kalyan
              Reporter:
              Shreyas Kalyan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: