Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Dec 2008 13:21:11 +0100 (CET)
From:      Petr Holub <hopet@ics.muni.cz>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/129681: SSL patch for net-im/ejabberd
Message-ID:  <200812161221.mBGCLBCd013215@arwen.ics.muni.cz>
Resent-Message-ID: <200812161500.mBGF0FHf043706@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         129681
>Category:       ports
>Synopsis:       SSL patch for net-im/ejabberd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 16 15:00:15 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Petr Holub
>Release:        FreeBSD 7.0-RELEASE i386
>Organization:
Masaryk University
>Environment:
System: FreeBSD arwen.ics.muni.cz 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Apr 13 20:28:04 CEST 2008 toor@arwen.ics.muni.cz:/usr/obj/usr/src/sys/ARWEN i386


>Description:

	ejabber server is unable to present CA certificate chain to the
        client and thus clients get Unknown CA error unless it has it installed
        locally (or unless ignoring SSL problems). With this patch, it is 
        possible to put also CA certificate into the PEM file (together with 
        server key and server certificate) and CA certificate is presented
        to the client.

        More information see
        http://hyperstruct.net/2007/6/20/installing-the-startcom-ssl-certificate-in-ejabberd

>How-To-Repeat:

        cat serverkey.pem servercert.pem CAcert.pem >server.pem

	Prior to this patch, Psi client needs to have CA cerficate locally.
        Now it can be provided from the ejabber server.

>Fix:

--- patch-src::tls::tls_drv.c begins here ---
--- src/tls/tls_drv.c.orig	2008-12-16 13:04:21.000000000 +0100
+++ src/tls/tls_drv.c	2008-12-16 13:05:29.000000000 +0100
@@ -108,7 +108,7 @@
 	 d->ctx = SSL_CTX_new(SSLv23_method());
 	 die_unless(d->ctx, "SSL_CTX_new failed");
 
-	 res = SSL_CTX_use_certificate_file(d->ctx, buf, SSL_FILETYPE_PEM);
+	 res = SSL_CTX_use_certificate_chain_file(d->ctx, buf);
 	 die_unless(res > 0, "SSL_CTX_use_certificate_file failed");
 
 	 res = SSL_CTX_use_PrivateKey_file(d->ctx, buf, SSL_FILETYPE_PEM);
--- patch-src::tls::tls_drv.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812161221.mBGCLBCd013215>