From 3c254a72107f8db852534c150c4ba6326c398c65 Mon Sep 17 00:00:00 2001 From: Norman Maurer Date: Fri, 22 Jan 2016 21:18:26 +0100 Subject: [PATCH] [#4722] Ensure the whole certificate chain is used when creating SslContext for client mode and SslProvider.OPENSSL is used Motivation: We incorrectly added the trustCertChain as certificate chain when OpenSslClientContext was created. We need to correctly add the keyCertChain. Modifications: Correctly add whole keyCertChain. Result: SSL client auth is working when usin OpenSslClientContext and more then one cert is contained in the certificate chain. --- .../handler/ssl/OpenSslClientContext.java | 52 +++++++------------ 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java index 93c91a5d21..92e3cbbc6b 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java @@ -191,17 +191,6 @@ public final class OpenSslClientContext extends OpenSslContext { "Either both keyCertChainFile and keyFile needs to be null or none of them"); } synchronized (OpenSslContext.class) { - if (trustCertChainFile != null) { - /* Load the certificate chain. We must NOT skip the first cert when client mode */ - if (!SSLContext.setCertificateChainFile(ctx, trustCertChainFile.getPath(), false)) { - long error = SSL.getLastErrorNumber(); - if (OpenSsl.isError(error)) { - throw new SSLException( - "failed to set certificate chain: " - + trustCertChainFile + " (" + SSL.getErrorString(error) + ')'); - } - } - } if (keyCertChainFile != null && keyFile != null) { /* Load the certificate file and private key. */ try { @@ -214,6 +203,16 @@ public final class OpenSslClientContext extends OpenSslContext { " (" + SSL.getErrorString(error) + ')'); } } + // We may have more then one cert in the chain so add all of them now. We must NOT skip the + // first cert when client mode. + if (!SSLContext.setCertificateChainFile(ctx, keyCertChainFile.getPath(), false)) { + long error = SSL.getLastErrorNumber(); + if (OpenSsl.isError(error)) { + throw new SSLException( + "failed to set certificate chain: " + + keyCertChainFile + " (" + SSL.getErrorString(error) + ')'); + } + } } catch (SSLException e) { throw e; } catch (Exception e) { @@ -281,28 +280,6 @@ public final class OpenSslClientContext extends OpenSslContext { "Either both keyCertChain and key needs to be null or none of them"); } synchronized (OpenSslContext.class) { - if (trustCertChain != null) { - long trustCertChainBio = 0; - - try { - trustCertChainBio = toBIO(trustCertChain); - /* Load the certificate chain. We must NOT skip the first cert when client mode */ - if (!SSLContext.setCertificateChainBio(ctx, trustCertChainBio, false)) { - long error = SSL.getLastErrorNumber(); - if (OpenSsl.isError(error)) { - throw new SSLException( - "failed to set certificate chain: " + SSL.getErrorString(error)); - } - } - } catch (Exception e) { - throw new SSLException( - "failed to set certificate chain", e); - } finally { - if (trustCertChainBio != 0) { - SSL.freeBIO(trustCertChainBio); - } - } - } if (keyCertChain != null && key != null) { /* Load the certificate file and private key. */ long keyBio = 0; @@ -321,6 +298,15 @@ public final class OpenSslClientContext extends OpenSslContext { + SSL.getErrorString(error)); } } + // We may have more then one cert in the chain so add all of them now. We must NOT skip the + // first cert when client mode. + if (!SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false)) { + long error = SSL.getLastErrorNumber(); + if (OpenSsl.isError(error)) { + throw new SSLException( + "failed to set certificate chain: " + SSL.getErrorString(error)); + } + } } catch (SSLException e) { throw e; } catch (Exception e) {