Fossil Forum

ssl-identity - does not send cert chain
Login

ssl-identity - does not send cert chain

(1.2) By sentinal (sentinel) on 2021-08-30 14:07:26 edited from 1.1 [link] [source]

I have noticed an issue when using —ssl-identity with the clone command.

Setup 1:

Fossil is running on localhost serving one fossil (fossil server --localhost lsd_lang.fossil —https) sitting behind a reverse proxy (caddy server in this instance) running https (public domain name = localhost:8080)

Setup 2:

In addition to setup 1 I have enabled client_auth using tls certs



Setup 1 Tests - HTTPS

Working:
Fossil clone | pull | sync 
Web UI
Curl and Wget can pull the webpage


Setup 2 Tests - HTTPS with Client Auth

Working:
Web UI continues to work - it will now prompt for the cert to use, I can view the UI and login as normal.
Curl and Wget can pull the webpage when specifying the client certificates

Not Working:
Fossil clone does not work when setting —ssl-identity the same certificate is being used as with curl and Web UI, in pem format with key and cert concerted together.


cmd: fossil clone -v --ssl-identity client.pem  https://richard@lsd.domainname.com ./myrepo.fossil

Response:
password for richard:
remember password (Y/n)? y
                Bytes      Cards  Artifacts     Deltas
waiting for server...
server did not reply
Clone done, sent: 261  received: 0  ip: 139.59.123.230
server returned an error - clone aborted

Which is very odd as client auth does work in the browers safari and chrome, and cmd line tools curl and wget.

I am at a loss, not sure if it is a bug or I have missed a fossil setting ?

(2) By Stephan Beal (stephan) on 2021-08-30 07:26:13 in reply to 1.0 [link] [source]

I am at a loss, not sure if it is a bug or I have missed a fossil setting ?

You're trying to clone using an https:// URL. To clone over ssh, use an ssh:// URL and make sure that your system has an ssh daemon running (fossil does not speak ssh, but tunnels HTTP via ssh).

Pardon my brevity, but am typing one-handed from a tablet.

(3) By sentinal (sentinel) on 2021-08-30 07:41:18 in reply to 2 [link] [source]

thanks for the reply, ssh was a typo, I am meaning ssl-identity....

(4) By sentinal (sentinel) on 2021-08-30 07:43:49 in reply to 2 [link] [source]

corrected the typo ... in the title and opening sentence

(5) By sentinal (sentinel) on 2021-08-30 13:30:47 in reply to 2 [link] [source]

I have ben doing some debugging.

server side for client auth we have the root_ca.crt (caddyserver)

client side we have client_crt, intermediate_crt, client_key in the pen file.

the above chain does not work when using with fossil clone --ssl-identity

if I move the intermediate crt to the server appended to the root_ca crt and remove from the client pem file fossil clone works using --ssl-identity

my guess is that fossil is only sending the first cert in the chain with in the client pem file. Is this expected behaviour ? as generally only the root server is installed on the server and Intermediates are send from the client as a chain..

Cheers

Rich

(6) By sentinal (sentinel) on 2021-08-30 14:05:42 in reply to 5 [link] [source]

so this is expected.... http_ssl.c calls SSL_CTX_use_certificate_file() which only loads the first cert in the file passed in.

ref: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_use_certificate_file.html

to load a chain and intermediate cert chain SSL_CTX_use_certificate_chain_file() is to be used.

I am going to have a go and changing this and if I can get It to work, I will post a patch for review ?

(7) By Stephan Beal (stephan) on 2021-08-30 14:11:13 in reply to 6 [link] [source]

I am going to have a go and changing this and if I can get It to work, I will post a patch for review ?

Please do. Note that we cannot accept "non-trivial" patches without a contributor agreement document on file with Richard, the project lead, but we can, and sometimes do, use posted patches from "non-contributors" as a basis for similar patches. For full details see: src:/doc/trunk/www/contribute.wiki

(8.2) By sentinal (sentinel) on 2021-08-30 14:34:38 edited from 8.1 in reply to 7 [source]

sure, no worries, will take a look and get that sorted.

in the. mean time, here is a the patch. way more simple that I thought, all works as expected with the change below. tests ran ok too.

SSL_CTX_use_certificate_chain_file() expects a pem file

> fossil diff
Index: src/http_ssl.c
==================================================================
--- src/http_ssl.c
+++ src/http_ssl.c
@@ -143,11 +143,11 @@
       identityFile = g.zSSLIdentity;
     }else{
       identityFile = db_get("ssl-identity", 0);
     }
     if( identityFile!=0 && identityFile[0]!='\0' ){
-      if( SSL_CTX_use_certificate_file(sslCtx,identityFile,SSL_FILETYPE_PEM)!=1
+      if( SSL_CTX_use_certificate_chain_file(sslCtx,identityFile)!=1
        || SSL_CTX_use_PrivateKey_file(sslCtx,identityFile,SSL_FILETYPE_PEM)!=1
       ){
         fossil_fatal("Could not load SSL identity from %s", identityFile);
       }
     }

(9) By sentinal (sentinel) on 2021-09-01 14:53:21 in reply to 7 [link] [source]

contributor agreement document has been filled in and singed and sent to Richard, along with a fossil diff -I patch

(10) By Stephan Beal (stephan) on 2021-09-01 14:57:40 in reply to 9 [link] [source]

contributor agreement document has been filled in and singed and sent to Richard

Great!

He's a very busy person, him being ruler of sqlite and all, so please ping again in a week or so (assuming continental US mail) if you haven't heard any follow-up on this.