[jabberd] [alex@linlab.net: jabberd2 SSL CA Chain bugfix]

Robert Norris rob at cataclysm.cx
Sun Apr 30 17:21:03 CDT 2006 

----- Forwarded message from Alex Bergmann <alex at linlab.net> -----

Date: Sun, 30 Apr 2006 17:18:46 +0200 (CEST)
From: Alex Bergmann <alex at linlab.net>
To: rob at cataclysm.cx
Subject: jabberd2 SSL CA Chain bugfix

Hi Rob,

I spend some time to get my jabberd2 server up and running with SSL 
support. I'm using version jabberd-2.0s11. There is currently a problem 
with the ssl.c setup and the C2S module is unable to load the CA chain 
file. According to the OpenSSL documentation it is necessary to load the 
chain before the server cert and key file.

<snap>
Function SSL_CTX_use_certificate_chain_file:

If you loaded a private key file before issuing this function, the private 
key in that file does not match the corresponding public key in the 
certificate.
</snap>

After I moved the function "Load the CA chain, if configured" before "load 
the certificate", I was able to use the SSL connection with my jabber 
client.

Please find attached the according patch file.


Thanks for the greate jabber server. ;-)


Ciao,
Alex

---
email: alex at linlab.net
jabber: alex at linlab.net

hg2g: "What's so unpleasant about being drunk?"
      "You ask a glass of water."

diff -Nur jabberd-2.0s11/sx/ssl.c jabberd-2.0s11-updated/sx/ssl.c
--- jabberd-2.0s11/sx/ssl.c	2005-04-07 10:15:24.000000000 +0200
+++ jabberd-2.0s11-updated/sx/ssl.c	2006-04-30 16:54:42.000000000 +0200
@@ -598,6 +598,14 @@
         return 1;
     }
     
+    /* Load the CA chain, if configured */
+    if (cachain != NULL) {
+        ret = SSL_CTX_use_certificate_chain_file(ctx, cachain);
+        if(ret != 1) {
+            _sx_debug(ZONE, "WARNING: couldn't load CA chain");
+        }
+    }
+
     /* load the certificate */
     ret = SSL_CTX_use_certificate_file(ctx, pemfile, SSL_FILETYPE_PEM);
     if(ret != 1) {
@@ -614,14 +622,6 @@
         return 1;
     }
 
-    /* Load the CA chain, if configured */
-    if (cachain != NULL) {
-        ret = SSL_CTX_use_certificate_chain_file(ctx, cachain);
-        if(ret != 1) {
-            _sx_debug(ZONE, "WARNING: couldn't load CA chain");
-        }
-    }
-
     /* check the private key matches the certificate */
     ret = SSL_CTX_check_private_key(ctx);
     if(ret != 1) {


----- End forwarded message -----

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.jabber.org/pipermail/jabberd/attachments/20060501/9012fcb3/attachment.pgp

More information about the jabberd mailing list