You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Testing SIPp back to back using TLS, intermediate certificates are required to be as part of the CA certificate file.
The expectation is that the certificate chain is sent as part of the end-entity certificate. This is the intermediate certificate(s) and the end-entity certificate.
However this always fails unless the intermediate certificate is already include in the CA.
The setup can be recreated as:
Create a CA certificate with OpenSSL.
With that CA, create two intermediate certificates, let's call them intermediate client and intermediate server.
With the client intermediate, sign a certificate request for the UAC certificate.
With the server intermediate, sign a certificate request for the UAS certificate.
In this case, running these in separate containers, but it doesn't matter.
If the CA.crt has only the root CA, as it should, the following errors are seen:
UAS: Error in SSL_accept: SSL protocol error. SSL I/O function returned SSL_ERROR_SSL
UAC: Unable to connect a TCP socket.
running the same with trace, see this on the UAC: verify error:num=20:unable to get local issuer certificate:depth=0
With the same setup, if the intermediate certificate is appended from server/tls.crt into ca.crt, then it works.
The root cause is that OpenSSL is reading only the first certificate passed via tls_cert.
Looking at src/sslsocket.cpp, find that it's using SSL_CTX_use_certificate_file() to read it instead of SSL_CTX_use_certificate_chain_file, which reads the whole PEM file into a STACK_OF(X509) struct.
OpenSSL documents it here: https://docs.openssl.org/master/man3/SSL_CTX_use_certificate/
where under the notes section, states:
SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to the trusted CA storage.
This works in my setup.
Note that discovered this in a Kubernetes environment, where cert-manager is used to issue certificates, and intermediate certificates are used.
The text was updated successfully, but these errors were encountered:
Testing SIPp back to back using TLS, intermediate certificates are required to be as part of the CA certificate file.
The expectation is that the certificate chain is sent as part of the end-entity certificate. This is the intermediate certificate(s) and the end-entity certificate.
However this always fails unless the intermediate certificate is already include in the CA.
The setup can be recreated as:
Run the UAS as:
Then run the UAC as:
In this case, running these in separate containers, but it doesn't matter.
If the CA.crt has only the root CA, as it should, the following errors are seen:
UAS:
Error in SSL_accept: SSL protocol error. SSL I/O function returned SSL_ERROR_SSLUAC:
Unable to connect a TCP socket.running the same with trace, see this on the UAC:
verify error:num=20:unable to get local issuer certificate:depth=0With the same setup, if the intermediate certificate is appended from server/tls.crt into ca.crt, then it works.
The root cause is that OpenSSL is reading only the first certificate passed via tls_cert.
Looking at
src/sslsocket.cpp, find that it's usingSSL_CTX_use_certificate_file()to read it instead ofSSL_CTX_use_certificate_chain_file, which reads the whole PEM file into aSTACK_OF(X509) struct.OpenSSL documents it here: https://docs.openssl.org/master/man3/SSL_CTX_use_certificate/
where under the notes section, states:
Hence the proposed patch:
This works in my setup.
Note that discovered this in a Kubernetes environment, where cert-manager is used to issue certificates, and intermediate certificates are used.
The text was updated successfully, but these errors were encountered: