mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-21 22:32:41 +01:00
Append the intermediate chain to the "cert" parameter in Aphlict
Summary: Per the documentation[1], any intermediate chain is to be appended to the "cert" parameter. The "ca" parameter controls the root CA used to authenticate the client certificate, if one is provided, and is not used for intermediate certificate chains -- nor has it ever been. It is not clear how this could have worked in the past[2]. [1] https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options [2] D15709 Test Plan: Before this diff, with node 4.2.6 from Ubuntu packages: ``` $ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/ verify depth is 5 CONNECTED(00000003) depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA ``` After: ``` $ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/ verify depth is 5 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA ``` Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: Korvin, epriestley Differential Revision: https://secure.phabricator.com/D18181
This commit is contained in:
parent
f94cee8628
commit
11f1c13915
1 changed files with 3 additions and 8 deletions
|
@ -103,10 +103,9 @@ for (ii = 0; ii < config.servers.length; ii++) {
|
||||||
|
|
||||||
if (spec['ssl.cert']){
|
if (spec['ssl.cert']){
|
||||||
spec['ssl.cert'] = fs.readFileSync(spec['ssl.cert']);
|
spec['ssl.cert'] = fs.readFileSync(spec['ssl.cert']);
|
||||||
}
|
if (spec['ssl.chain']){
|
||||||
|
spec['ssl.cert'] += "\n" + fs.readFileSync(spec['ssl.chain']);
|
||||||
if (spec['ssl.chain']){
|
}
|
||||||
spec['ssl.chain'] = fs.readFileSync(spec['ssl.chain']);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
servers.push(spec);
|
servers.push(spec);
|
||||||
|
@ -140,10 +139,6 @@ for (ii = 0; ii < servers.length; ii++) {
|
||||||
cert: server['ssl.cert'],
|
cert: server['ssl.cert'],
|
||||||
};
|
};
|
||||||
|
|
||||||
if (server['ssl.chain']) {
|
|
||||||
https_config.ca = server['ssl.chain'];
|
|
||||||
}
|
|
||||||
|
|
||||||
http_server = https.createServer(https_config);
|
http_server = https.createServer(https_config);
|
||||||
} else {
|
} else {
|
||||||
http_server = http.createServer();
|
http_server = http.createServer();
|
||||||
|
|
Loading…
Reference in a new issue