Bug #115729 for IO-Socket-SSL: Problem with cert-chain in P12

Wed Jun 29 10:27:31 2016 flagg [...] onet.eu - Ticket created

Subject:

Problem with cert-chain in P12

Hey, I probably found a bug with handling cert-chain embedded in *.p12 files - chained certs are not used by IO::Socket::SSL at all. However all is working fine, if I extract them with IO::Socket::SSL::Utils, write to a file (*.pem) and then specify this file through "SSL_ca_file". Example of code: ############### my ( undef, undef, @chn ) = Net::SSLeay::P_PKCS12_load_file( $p12, 1, $key ); open( my $fh, '>', $ca_file ) or die $!; print $fh map { PEM_cert2string( $_ ); } @chn; close( $fh ); CERT_free( $_ ) for @chn; ############### I found this on Windows platform, however it seems that things go in the same way on Linux Debian. Ps. I've checked this only in the latest version of IO::Socket::SSL.

Wed Jun 29 12:15:09 2016 Steffen_Ullrich [...] genua.de - Correspondence added

Am Mi 29. Jun 2016, 10:27:31, STRZELEC schrieb: Show quoted text

> Hey, > I probably found a bug with handling cert-chain embedded in *.p12 > files - chained certs are not used by IO::Socket::SSL at all. However > all is working fine, if I extract them with IO::Socket::SSL::Utils, > write to a file (*.pem) and then specify this file through > "SSL_ca_file". Example of code:

I cannot reproduce the problem, i.e. openssl s_client shows that it adds all chain certificates from the PKCS12 file. But if you have multiple chain certificates it adds these in the wrong order which might cause problems. Please try the latest version in git if this fixes your problem: https://github.com/noxxi/p5-io-socket-ssl/commit/e329b07e2e784 If it does not get fixed I would need a sample PKCS12 where you get this issue, because with the samples I've generated I don't have the issue.

Wed Jun 29 12:15:09 2016 The RT System itself - Status changed from 'new' to 'open'

Wed Jun 29 12:34:19 2016 flagg [...] onet.eu - Correspondence added

Still the same. I've attached *.p12 file for a test user. I'm using IO::Socket::SSL through LWP::UserAgent with options as below (maybe there is a problem). ############## verify_hostname => 0, SSL_use_cert => 1, SSL_ca_file => $chn, # workaround SSL_cert_file => $p12, SSL_passwd_cb => sub { $key }, ############## On Wed Jun 29 12:15:09 2016, SULLR wrote: Show quoted text

> Am Mi 29. Jun 2016, 10:27:31, STRZELEC schrieb:

> > Hey, > > I probably found a bug with handling cert-chain embedded in *.p12 > > files - chained certs are not used by IO::Socket::SSL at all. However > > all is working fine, if I extract them with IO::Socket::SSL::Utils, > > write to a file (*.pem) and then specify this file through > > "SSL_ca_file". Example of code:

> > I cannot reproduce the problem, i.e. openssl s_client shows that it > adds all chain certificates from the PKCS12 file. But if you have > multiple chain certificates it adds these in the wrong order which > might cause problems. Please try the latest version in git if this > fixes your problem: https://github.com/noxxi/p5-io-socket- > ssl/commit/e329b07e2e784 > > If it does not get fixed I would need a sample PKCS12 where you get > this issue, because with the samples I've generated I don't have the > issue.

Subject:

testes.7z

Download testes.7z
application/x-7z-compressed 9.4k

Message body not shown because it is not plain text.

Wed Jun 29 18:59:23 2016 Steffen_Ullrich [...] genua.de - Correspondence added

Show quoted text

> ############## > verify_hostname => 0, > SSL_use_cert => 1, > SSL_ca_file => $chn, # workaround > SSL_cert_file => $p12,

I'm not sure what you are trying to do here, but SSL_cert_file is used as the client certificate which gets verified by the server while SSL_ca_file is used by the client to verify the servers certificate. No information from the client certificate should be used to verify the servers certificate, so if you expect this you might have the wrong expectation. When I use your example pkcs12 file in both client and server it successfully sends the client or server certificate with the full chain provided in the pkcs12 file. And this is all it should do.

Thu Jun 30 00:56:32 2016 flagg [...] onet.eu - Correspondence added

I've expected that if client and server have certs from exactly the same CA, a chain from *.p12 on a client side will be used to verify server cert (just as chain supplied in SSL_ca_file). However I understand that things are going in other way (and this could be only on a wish list ;), so this thread should be closed. Thank You for your time and explanation.

Thu Jun 30 00:56:37 2016 flagg [...] onet.eu - Status changed from 'open' to 'resolved'