On 14.05.2015 15:02, Joel Sing wrote:
On Thursday 14 May 2015, Michal Lesniewski wrote:
Hello,
I'm trying to configure OpenBSD 5.7 httpd with tls with
intermediate/chain certificate without no success.
my httpd.conf:
server "default" {
listen on 10.11.0.200 tls port 443
tls {
certificate "/etc/ssl/server-unified.pem"
key "/etc/ssl/private/server.key"
}
root "/htdocs/default"
}
types {
include "/usr/share/misc/mime.types"
}
My certificate is intermediate/chain certificate. That mean I need to
supply "next level" certificate that is between my certificate and CA.
I made that chain certificate concatenating PEM format files with
corresponding certs (all certs Signature Algorithm:
sha256WithRSAEncryption)
cat server.pem sub.class2.server.ca.pem ca-sha2.pem >
/etc/ssl/server-unified.pem
server-unified.pem looks like:
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate: sub.class2.server.ca.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate: ca-sha2.pem)
-----END CERTIFICATE-----
Certificate and key installed in default locations:
# ls -alh /etc/ssl/private/server.key
-r-------- 1 root wheel 6.2K May 13 19:40 /etc/ssl/private/server.key
# ls -alh /etc/ssl/server.pem
-rw-r--r-- 1 root wheel 3.3K May 13 19:41 /etc/ssl/server.pem
# ls -alh /etc/ssl/server-unified.pem
-rw-r--r-- 1 root wheel 8.0K May 14 13:53 /etc/ssl/server-unified.pem
I try to test using openssl s_client:
michal@michal-MSQ87TN:~$ openssl s_client -connect 10.11.0.200:443
CONNECTED(00000003)
GET / HTTP/1.0
httpd log:
# httpd -dvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
socket_rlimit: max open files 1024
server_launch: running server default
server_launch: running server default
server_launch: running server default
there is no "server_tls_init"
nothing apears when started openssl s_client command
This smells very much like the same problem that has been mentioned on the
list earlier - with a 6KB private key and a 8KB bundle, you're almost
certainly hitting the 16K limit for a single imsg. Unfortunately there were
missing return value checks which means that this fails silently. If you can
try httpd from -current you will likely see an error instead of a silent
failure. Otherwise you can try removing one of the certificates from the
bundle in order to reduce the size and see if it then
reports "server_tls_init" and starts working.
tested on -current:
# httpd -dvvvvvvvvvvvvv
startup
server_tls_load_keypair: using certificate /etc/ssl/server-unified.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
socket_rlimit: max open files 1024
server_privinit: adding server default
server_privinit: adding server default
config_setserver: failed to compose IMSG_CFG_SERVER imsg for `default':
Result too large
fatal: send server: Result too large
socket_rlimit: max open files 1024
logger exiting, pid 4965
socket_rlimit: max open files 1024
server exiting, pid 10727
server exiting, pid 32594
server exiting, pid 5337
Above situation occurs when I have server cert + intermediate + ca and
only server cert + intermediate in server-chain.pem.
httpd starts only when I supply only my server cert to it.
Is there any solution to run httpd with such big private key?
