On Thursday 14 May 2015, Michal Lesniewski wrote:
> Hello,
>
> I'm trying to configure OpenBSD 5.7 httpd with tls with
> intermediate/chain certificate without no success.
>
> my httpd.conf:
>
> server "default" {
> listen on 10.11.0.200 tls port 443
>
> tls {
> certificate "/etc/ssl/server-unified.pem"
> key "/etc/ssl/private/server.key"
> }
>
> root "/htdocs/default"
> }
>
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
>
> My certificate is intermediate/chain certificate. That mean I need to
> supply "next level" certificate that is between my certificate and CA.
>
> I made that chain certificate concatenating PEM format files with
> corresponding certs (all certs Signature Algorithm:
> sha256WithRSAEncryption)
>
> cat server.pem sub.class2.server.ca.pem ca-sha2.pem >
> /etc/ssl/server-unified.pem
>
> server-unified.pem looks like:
>
> -----BEGIN CERTIFICATE-----
> (Primary SSL certificate: server.pem)
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Intermediate certificate: sub.class2.server.ca.pem)
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> (Root certificate: ca-sha2.pem)
> -----END CERTIFICATE-----
>
> Certificate and key installed in default locations:
>
> # ls -alh /etc/ssl/private/server.key
> -r-------- 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key
> # ls -alh /etc/ssl/server.pem
> -rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem
> # ls -alh /etc/ssl/server-unified.pem
> -rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem
>
>
> I try to test using openssl s_client:
>
> michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
> CONNECTED(00000003)
> GET / HTTP/1.0
>
>
>
> httpd log:
>
>
> # httpd -dvvvvvvvvvv
> startup
> server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
> server_tls_load_keypair: using private key /etc/ssl/private/server.key
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> server_privinit: adding server default
> server_privinit: adding server default
> socket_rlimit: max open files 1024
> server_launch: running server default
> server_launch: running server default
> server_launch: running server default
>
> > there is no "server_tls_init"
> > nothing apears when started openssl s_client command
This smells very much like the same problem that has been mentioned on the
list earlier - with a 6KB private key and a 8KB bundle, you're almost
certainly hitting the 16K limit for a single imsg. Unfortunately there were
missing return value checks which means that this fails silently. If you can
try httpd from -current you will likely see an error instead of a silent
failure. Otherwise you can try removing one of the certificates from the
bundle in order to reduce the size and see if it then
reports "server_tls_init" and starts working.
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
