Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ADD : Read ssl certificate from chain file #616

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

ADD : Read ssl certificate from chain file #616

wants to merge 1 commit into from
+1 −1

Conversation

TheMadius
Copy link

It was necessary to deploy http server with ssl, but the certificate that was used was a chain of certificates. Libhv read only the first one. Added the ability to read a chain of certificates

Before:

> openssl s_client -connect 10.23.18.4:9092

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Jan 12 08:54:21 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIUe5uJWDlkUMS2wc+xsiHeI1M0sQMwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHbXkucm9vdDAeFw0yNDA4MzAwODU0MjFaFw0yNjAxMTIw
ODU0MjFaMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRUwEwYDVQQH
DAxKYWNrc29udmlsbGUxEDAOBgNVBAoMB1NvbWVPcmcxHTAbBgkqhkiG9w0BCQEW
DnNvbWVAZW1haWwuY29tMRYwFAYDVQQDDA10aGVkb21haW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08C64iNkZ0SljtuCQgqqAN7kZN3CqyMp
t4xQXsJXvIjlPlCr+Remjo2knnwBjQWutVzhQgzXbtZXNBfHh36yfYF9y/DBeetm
iSAa02Vkxi+NTlb9PzNExIiPR4UEHz1XZ+LZmvIkpPgT3x0irw+p7lali2wBRcgx
BN3PxUE3JAUefi1/AMXI2LnuYoA4l1ltZ6tnUezVX23Co/92KX4gOn8OCRdDrHlp
P15mCVgXtJVg4ieeFrKOZ/bAD1n+lRHahcfuSr/Pj/PTkizCNQs003rjENANbrKF
TMoUvjs6KtBd79Wmnp0IcobHVjTwO4iFWZMS2yRnovjS6h9LcYmk6wIDAQABo2Qw
YjAgBgNVHREEGTAXgg9vdGhlcmRvbWFpbi5jb22HBAECAwQwHQYDVR0OBBYEFNV2
0iqsF3OMXi9gbzEMNiLs88QLMB8GA1UdIwQYMBaAFPLdu4Vz8FkSzxhX11c8syQ0
YMN1MA0GCSqGSIb3DQEBCwUAA4IBAQB2EdKCnu0NrTw9CPszqO8eg1sHisKcXQBy
dSsc311iEyXhaTwWKvOKAsJ4yKGwXaLPBuIj7cBhYPOIOOnA1DJ2cGi6XnOsuNga
HOVGFEXiNTp7V2ibh13f7a0rk0TxnvuduLJ8zoUoB+g8qdI3y94CsgKQ+1gArQfS
hPd+rSwFM5PDXtLdSDBWGe6lJFzgsrXFWYDDN+rOQ180CK114X5EGQJpuy4LwelJ
z4eUpqqQ1wupvEgQgelMivA+yZsXV4mRijlVdh/pHrsDdc3zGf2qlkn8olQgPOBh
/P0q9XsP6rg4Aw74vucbGhj78KbMssPDWBvyh0F76kKdePOJ5J4S
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
issuer=CN = my.root
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1459 bytes and written 373 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 629C3064F349B59121DAD5600BD9762D5E5B68EA0D310EFBECA4AC356A74B549
    Session-ID-ctx: 
    Resumption PSK: E05581C9B8AC52EFA0D092026A9FFE4907114B6DDDF9B704A44715572953EAD21A58A54D5D5BA775762D7A84CE829172
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5b 79 fa c8 a2 ee 0c a8-60 f5 54 e3 b5 bb 3d 68   [y......`.T...=h
    0010 - 97 e0 76 9e 1b 84 22 cd-f4 b4 21 e8 98 54 cc 62   ..v..."...!..T.b
    0020 - b7 13 93 d5 f7 f5 62 fc-d5 74 0e c5 15 88 cf 33   ......b..t.....3
    0030 - d7 78 80 98 0d 28 f1 1a-eb 6c e5 18 10 96 82 f6   .x...(...l......
    0040 - e4 5d 2f fe 98 5c a8 c0-94 85 af e2 6b ee a5 b3   .]/..\......k...
    0050 - 01 aa f3 2d 4b 7c b0 81-9e 4f bc 99 32 dd cb 10   ...-K|...O..2...
    0060 - d6 f0 9c 24 32 98 5b 86-d9 65 cf 11 7f de 6f db   ...$2.[..e....o.
    0070 - 61 33 d8 16 0f 70 53 b9-db 29 e5 97 b1 16 aa 13   a3...pS..)......
    0080 - 93 33 02 0b 0e fe 86 a2-cc 71 c1 1c fe 13 87 9a   .3.......q......
    0090 - 8b ec e9 45 5c 26 42 87-11 15 15 b2 6b 84 5d c1   ...E\&B.....k.].
    00a0 - fd 60 9a 47 38 35 12 f2-4a 9c 6f 8d 62 96 60 41   .`.G85..J.o.b.`A
    00b0 - 32 d1 c7 0a 13 ee a3 b4-2b 23 41 41 28 b9 56 25   2.......+#AA(.V%
    00c0 - 52 08 2f 03 0d 40 3b 68-29 3c 21 20 ab b0 96 0f   R./..@;h)<! ....

    Start Time: 1725016271
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D778D3ECDCCDBC8684998C689204B6E3D3EB037F6C07B53FBA85BBD0A9771044
    Session-ID-ctx: 
    Resumption PSK: 543A0AF7EB25C799E92B1A071458E006B17BEA0DB5BCBB90AA610D5DE4DB2B168EFE1997EC4E214262CC147741C76578
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5b 79 fa c8 a2 ee 0c a8-60 f5 54 e3 b5 bb 3d 68   [y......`.T...=h
    0010 - 67 64 91 a1 69 34 bc 01-4d 61 16 5f 18 4a 02 37   gd..i4..Ma._.J.7
    0020 - ac b4 f1 be 84 92 c3 36-4c 1e 42 5a 7d 66 8e 52   .......6L.BZ}f.R
    0030 - 89 a2 eb c2 87 ab a5 32-2a a6 2b fc e9 6f 1e 7e   .......2*.+..o.~
    0040 - 55 bf db 20 af 38 a4 8b-fb a5 11 54 8c f6 44 7e   U.. .8.....T..D~
    0050 - 06 87 d6 e8 28 8a 0e f2-d2 a9 83 10 47 d6 e7 20   ....(.......G.. 
    0060 - 69 23 11 39 16 7d 8e 9e-21 ea e7 38 a9 62 e2 05   i#.9.}..!..8.b..
    0070 - b8 2c 50 04 19 28 6a 84-18 ac 9a 10 8a 16 da a8   .,P..(j.........
    0080 - 0b 59 2b 74 54 12 36 b2-cc 31 ef 80 ad 23 fb 8b   .Y+tT.6..1...#..
    0090 - 5d ba 9b 3e bf a9 62 6f-75 58 59 27 21 86 9a 39   ]..>..bouXY'!..9
    00a0 - 8d 92 e3 78 e3 60 a8 40-c9 14 a1 5d 32 1c 91 9d   ...x.`.@...]2...
    00b0 - 44 f0 32 c4 b4 d6 61 0f-cc ef 91 26 6a a2 e9 af   D.2...a....&j...
    00c0 - e4 13 f3 34 c4 15 6a be-79 67 09 d2 4b 17 81 6f   ...4..j.yg..K..o

    Start Time: 1725016272
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---

After:

openssl s_client -connect 10.23.18.4:19999
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = my.root
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 CN = my.root
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Jan 12 08:54:21 2026 GMT
 1 s:CN = my.root
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Sep 29 08:54:21 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIUe5uJWDlkUMS2wc+xsiHeI1M0sQMwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHbXkucm9vdDAeFw0yNDA4MzAwODU0MjFaFw0yNjAxMTIw
ODU0MjFaMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRUwEwYDVQQH
DAxKYWNrc29udmlsbGUxEDAOBgNVBAoMB1NvbWVPcmcxHTAbBgkqhkiG9w0BCQEW
DnNvbWVAZW1haWwuY29tMRYwFAYDVQQDDA10aGVkb21haW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08C64iNkZ0SljtuCQgqqAN7kZN3CqyMp
t4xQXsJXvIjlPlCr+Remjo2knnwBjQWutVzhQgzXbtZXNBfHh36yfYF9y/DBeetm
iSAa02Vkxi+NTlb9PzNExIiPR4UEHz1XZ+LZmvIkpPgT3x0irw+p7lali2wBRcgx
BN3PxUE3JAUefi1/AMXI2LnuYoA4l1ltZ6tnUezVX23Co/92KX4gOn8OCRdDrHlp
P15mCVgXtJVg4ieeFrKOZ/bAD1n+lRHahcfuSr/Pj/PTkizCNQs003rjENANbrKF
TMoUvjs6KtBd79Wmnp0IcobHVjTwO4iFWZMS2yRnovjS6h9LcYmk6wIDAQABo2Qw
YjAgBgNVHREEGTAXgg9vdGhlcmRvbWFpbi5jb22HBAECAwQwHQYDVR0OBBYEFNV2
0iqsF3OMXi9gbzEMNiLs88QLMB8GA1UdIwQYMBaAFPLdu4Vz8FkSzxhX11c8syQ0
YMN1MA0GCSqGSIb3DQEBCwUAA4IBAQB2EdKCnu0NrTw9CPszqO8eg1sHisKcXQBy
dSsc311iEyXhaTwWKvOKAsJ4yKGwXaLPBuIj7cBhYPOIOOnA1DJ2cGi6XnOsuNga
HOVGFEXiNTp7V2ibh13f7a0rk0TxnvuduLJ8zoUoB+g8qdI3y94CsgKQ+1gArQfS
hPd+rSwFM5PDXtLdSDBWGe6lJFzgsrXFWYDDN+rOQ180CK114X5EGQJpuy4LwelJ
z4eUpqqQ1wupvEgQgelMivA+yZsXV4mRijlVdh/pHrsDdc3zGf2qlkn8olQgPOBh
/P0q9XsP6rg4Aw74vucbGhj78KbMssPDWBvyh0F76kKdePOJ5J4S
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
issuer=CN = my.root
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2241 bytes and written 373 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DC5712A2DC5A9448CC03F272BEB01ABB1BE1A0802013FC1D5991AEB6952B08D4
    Session-ID-ctx: 
    Resumption PSK: DB6FC8EDB8B409D218DC10C2B1343955C3DB8D9200106FAC6DD373638D68EBEB716F65934AB834C17F836A9CC2A63238
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ed cc a9 c8 1d 36 85 25-dd 43 0f 9b 8d 3d b2 5c   .....6.%.C...=.\
    0010 - 78 89 dd 1f 9c c2 b2 b1-fb fd 17 23 64 89 a5 6a   x..........#d..j
    0020 - 48 25 dd 99 c9 8a d6 96-76 66 57 15 9e 6d 1d 1a   H%......vfW..m..
    0030 - 9e 2c cd 71 dc 58 c4 76-8c c0 40 8d a7 f3 01 d9   .,.q.X.v..@.....
    0040 - b5 46 20 53 6a ae 0f 05-66 24 0e c2 00 42 82 51   .F Sj...f$...B.Q
    0050 - 7f b1 8f a5 f6 0d 2c 94-32 de ad a8 e5 a1 a3 8e   ......,.2.......
    0060 - 2c 21 bd 26 8b 8e 90 ea-bd c3 cc c4 aa 13 eb 25   ,!.&...........%
    0070 - ca 9e 2c 95 93 db 05 99-5f 5b 46 74 16 19 89 9a   ..,....._[Ft....
    0080 - c3 61 20 c4 4e 27 f0 9f-48 e3 d2 3c 44 88 9b 0a   .a .N'..H..<D...
    0090 - 62 46 2f 1f b9 39 29 13-da a0 73 9f 9f d4 43 a9   bF/..9)...s...C.
    00a0 - 63 a0 e2 7b ad e8 f3 3a-f8 a4 4b ec ab ec 47 b4   c..{...:..K...G.
    00b0 - de ad df cb 0b 85 9d 1f-3d 14 79 d4 2d 2b 5f dd   ........=.y.-+_.
    00c0 - 2c d6 fc 39 fe 49 4a ca-27 c2 92 d3 66 58 29 54   ,..9.IJ.'...fX)T

    Start Time: 1725016440
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F9A7469D4C8F955C5F7F0153E53A1412E9A22BC234A74810DF401AF682DC97FD
    Session-ID-ctx: 
    Resumption PSK: 38A585DD58BD951B8A174C601960BF9E3A4A13295FFBBC0C62490194C74B47552340D684B7355ABD9A8CC8100CCA68D6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ed cc a9 c8 1d 36 85 25-dd 43 0f 9b 8d 3d b2 5c   .....6.%.C...=.\
    0010 - cf 77 91 34 f2 81 93 eb-f3 73 3c 91 cd 77 ef 63   .w.4.....s<..w.c
    0020 - e4 fa 7e fb 4a 8f 93 29-fa d4 31 1d d6 96 01 f4   ..~.J..)..1.....
    0030 - e2 b4 f7 81 c5 fa e8 89-c4 fa 50 57 1b 52 24 b2   ..........PW.R$.
    0040 - 5e 08 0e e4 fb 31 2a f8-bd 47 8e c3 b4 a2 1a e6   ^....1*..G......
    0050 - 07 d6 3c 57 1f 37 d0 20-c5 ee 96 f2 ec 56 de 28   ..<W.7. .....V.(
    0060 - 81 fb f2 97 0b 5b 09 00-35 82 a6 a1 9b cd 9d fd   .....[..5.......
    0070 - d3 54 d7 c5 86 c8 0c 26-f1 f9 82 35 cd 3d e2 11   .T.....&...5.=..
    0080 - e2 07 50 82 c2 79 6b 56-c5 f7 65 c3 98 0f 18 6a   ..P..ykV..e....j
    0090 - 6b c8 34 5a cf a1 8f b1-e2 6f c9 b2 a1 72 ff f9   k.4Z.....o...r..
    00a0 - cc 64 ff e9 8d 09 06 29-1d 1e 1d ae f7 48 5a b8   .d.....).....HZ.
    00b0 - 23 a8 20 ec aa 4f 17 51-ce 99 76 55 06 e6 12 ba   #. ..O.Q..vU....
    00c0 - b1 ae 10 cf b8 99 b3 63-66 a9 17 36 ba d6 29 82   .......cf..6..).

    Start Time: 1725016440
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Used certificates
Cert.zip

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TheMadius