Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADD : Read ssl certificate from chain file #616

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

ADD : Read ssl certificate from chain file #616

wants to merge 1 commit into from

Conversation

TheMadius
Copy link

It was necessary to deploy http server with ssl, but the certificate that was used was a chain of certificates. Libhv read only the first one. Added the ability to read a chain of certificates

Before:

> openssl s_client -connect 10.23.18.4:9092

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Jan 12 08:54:21 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIUe5uJWDlkUMS2wc+xsiHeI1M0sQMwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHbXkucm9vdDAeFw0yNDA4MzAwODU0MjFaFw0yNjAxMTIw
ODU0MjFaMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRUwEwYDVQQH
DAxKYWNrc29udmlsbGUxEDAOBgNVBAoMB1NvbWVPcmcxHTAbBgkqhkiG9w0BCQEW
DnNvbWVAZW1haWwuY29tMRYwFAYDVQQDDA10aGVkb21haW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08C64iNkZ0SljtuCQgqqAN7kZN3CqyMp
t4xQXsJXvIjlPlCr+Remjo2knnwBjQWutVzhQgzXbtZXNBfHh36yfYF9y/DBeetm
iSAa02Vkxi+NTlb9PzNExIiPR4UEHz1XZ+LZmvIkpPgT3x0irw+p7lali2wBRcgx
BN3PxUE3JAUefi1/AMXI2LnuYoA4l1ltZ6tnUezVX23Co/92KX4gOn8OCRdDrHlp
P15mCVgXtJVg4ieeFrKOZ/bAD1n+lRHahcfuSr/Pj/PTkizCNQs003rjENANbrKF
TMoUvjs6KtBd79Wmnp0IcobHVjTwO4iFWZMS2yRnovjS6h9LcYmk6wIDAQABo2Qw
YjAgBgNVHREEGTAXgg9vdGhlcmRvbWFpbi5jb22HBAECAwQwHQYDVR0OBBYEFNV2
0iqsF3OMXi9gbzEMNiLs88QLMB8GA1UdIwQYMBaAFPLdu4Vz8FkSzxhX11c8syQ0
YMN1MA0GCSqGSIb3DQEBCwUAA4IBAQB2EdKCnu0NrTw9CPszqO8eg1sHisKcXQBy
dSsc311iEyXhaTwWKvOKAsJ4yKGwXaLPBuIj7cBhYPOIOOnA1DJ2cGi6XnOsuNga
HOVGFEXiNTp7V2ibh13f7a0rk0TxnvuduLJ8zoUoB+g8qdI3y94CsgKQ+1gArQfS
hPd+rSwFM5PDXtLdSDBWGe6lJFzgsrXFWYDDN+rOQ180CK114X5EGQJpuy4LwelJ
z4eUpqqQ1wupvEgQgelMivA+yZsXV4mRijlVdh/pHrsDdc3zGf2qlkn8olQgPOBh
/P0q9XsP6rg4Aw74vucbGhj78KbMssPDWBvyh0F76kKdePOJ5J4S
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
issuer=CN = my.root
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1459 bytes and written 373 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 629C3064F349B59121DAD5600BD9762D5E5B68EA0D310EFBECA4AC356A74B549
    Session-ID-ctx: 
    Resumption PSK: E05581C9B8AC52EFA0D092026A9FFE4907114B6DDDF9B704A44715572953EAD21A58A54D5D5BA775762D7A84CE829172
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5b 79 fa c8 a2 ee 0c a8-60 f5 54 e3 b5 bb 3d 68   [y......`.T...=h
    0010 - 97 e0 76 9e 1b 84 22 cd-f4 b4 21 e8 98 54 cc 62   ..v..."...!..T.b
    0020 - b7 13 93 d5 f7 f5 62 fc-d5 74 0e c5 15 88 cf 33   ......b..t.....3
    0030 - d7 78 80 98 0d 28 f1 1a-eb 6c e5 18 10 96 82 f6   .x...(...l......
    0040 - e4 5d 2f fe 98 5c a8 c0-94 85 af e2 6b ee a5 b3   .]/..\......k...
    0050 - 01 aa f3 2d 4b 7c b0 81-9e 4f bc 99 32 dd cb 10   ...-K|...O..2...
    0060 - d6 f0 9c 24 32 98 5b 86-d9 65 cf 11 7f de 6f db   ...$2.[..e....o.
    0070 - 61 33 d8 16 0f 70 53 b9-db 29 e5 97 b1 16 aa 13   a3...pS..)......
    0080 - 93 33 02 0b 0e fe 86 a2-cc 71 c1 1c fe 13 87 9a   .3.......q......
    0090 - 8b ec e9 45 5c 26 42 87-11 15 15 b2 6b 84 5d c1   ...E\&B.....k.].
    00a0 - fd 60 9a 47 38 35 12 f2-4a 9c 6f 8d 62 96 60 41   .`.G85..J.o.b.`A
    00b0 - 32 d1 c7 0a 13 ee a3 b4-2b 23 41 41 28 b9 56 25   2.......+#AA(.V%
    00c0 - 52 08 2f 03 0d 40 3b 68-29 3c 21 20 ab b0 96 0f   R./..@;h)<! ....

    Start Time: 1725016271
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D778D3ECDCCDBC8684998C689204B6E3D3EB037F6C07B53FBA85BBD0A9771044
    Session-ID-ctx: 
    Resumption PSK: 543A0AF7EB25C799E92B1A071458E006B17BEA0DB5BCBB90AA610D5DE4DB2B168EFE1997EC4E214262CC147741C76578
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5b 79 fa c8 a2 ee 0c a8-60 f5 54 e3 b5 bb 3d 68   [y......`.T...=h
    0010 - 67 64 91 a1 69 34 bc 01-4d 61 16 5f 18 4a 02 37   gd..i4..Ma._.J.7
    0020 - ac b4 f1 be 84 92 c3 36-4c 1e 42 5a 7d 66 8e 52   .......6L.BZ}f.R
    0030 - 89 a2 eb c2 87 ab a5 32-2a a6 2b fc e9 6f 1e 7e   .......2*.+..o.~
    0040 - 55 bf db 20 af 38 a4 8b-fb a5 11 54 8c f6 44 7e   U.. .8.....T..D~
    0050 - 06 87 d6 e8 28 8a 0e f2-d2 a9 83 10 47 d6 e7 20   ....(.......G.. 
    0060 - 69 23 11 39 16 7d 8e 9e-21 ea e7 38 a9 62 e2 05   i#.9.}..!..8.b..
    0070 - b8 2c 50 04 19 28 6a 84-18 ac 9a 10 8a 16 da a8   .,P..(j.........
    0080 - 0b 59 2b 74 54 12 36 b2-cc 31 ef 80 ad 23 fb 8b   .Y+tT.6..1...#..
    0090 - 5d ba 9b 3e bf a9 62 6f-75 58 59 27 21 86 9a 39   ]..>..bouXY'!..9
    00a0 - 8d 92 e3 78 e3 60 a8 40-c9 14 a1 5d 32 1c 91 9d   ...x.`.@...]2...
    00b0 - 44 f0 32 c4 b4 d6 61 0f-cc ef 91 26 6a a2 e9 af   D.2...a....&j...
    00c0 - e4 13 f3 34 c4 15 6a be-79 67 09 d2 4b 17 81 6f   ...4..j.yg..K..o

    Start Time: 1725016272
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---

After:

openssl s_client -connect 10.23.18.4:19999
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = my.root
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 CN = my.root
verify return:1
depth=0 C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Jan 12 08:54:21 2026 GMT
 1 s:CN = my.root
   i:CN = my.root
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 30 08:54:21 2024 GMT; NotAfter: Sep 29 08:54:21 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIUe5uJWDlkUMS2wc+xsiHeI1M0sQMwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHbXkucm9vdDAeFw0yNDA4MzAwODU0MjFaFw0yNjAxMTIw
ODU0MjFaMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRUwEwYDVQQH
DAxKYWNrc29udmlsbGUxEDAOBgNVBAoMB1NvbWVPcmcxHTAbBgkqhkiG9w0BCQEW
DnNvbWVAZW1haWwuY29tMRYwFAYDVQQDDA10aGVkb21haW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA08C64iNkZ0SljtuCQgqqAN7kZN3CqyMp
t4xQXsJXvIjlPlCr+Remjo2knnwBjQWutVzhQgzXbtZXNBfHh36yfYF9y/DBeetm
iSAa02Vkxi+NTlb9PzNExIiPR4UEHz1XZ+LZmvIkpPgT3x0irw+p7lali2wBRcgx
BN3PxUE3JAUefi1/AMXI2LnuYoA4l1ltZ6tnUezVX23Co/92KX4gOn8OCRdDrHlp
P15mCVgXtJVg4ieeFrKOZ/bAD1n+lRHahcfuSr/Pj/PTkizCNQs003rjENANbrKF
TMoUvjs6KtBd79Wmnp0IcobHVjTwO4iFWZMS2yRnovjS6h9LcYmk6wIDAQABo2Qw
YjAgBgNVHREEGTAXgg9vdGhlcmRvbWFpbi5jb22HBAECAwQwHQYDVR0OBBYEFNV2
0iqsF3OMXi9gbzEMNiLs88QLMB8GA1UdIwQYMBaAFPLdu4Vz8FkSzxhX11c8syQ0
YMN1MA0GCSqGSIb3DQEBCwUAA4IBAQB2EdKCnu0NrTw9CPszqO8eg1sHisKcXQBy
dSsc311iEyXhaTwWKvOKAsJ4yKGwXaLPBuIj7cBhYPOIOOnA1DJ2cGi6XnOsuNga
HOVGFEXiNTp7V2ibh13f7a0rk0TxnvuduLJ8zoUoB+g8qdI3y94CsgKQ+1gArQfS
hPd+rSwFM5PDXtLdSDBWGe6lJFzgsrXFWYDDN+rOQ180CK114X5EGQJpuy4LwelJ
z4eUpqqQ1wupvEgQgelMivA+yZsXV4mRijlVdh/pHrsDdc3zGf2qlkn8olQgPOBh
/P0q9XsP6rg4Aw74vucbGhj78KbMssPDWBvyh0F76kKdePOJ5J4S
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = Jacksonville, O = SomeOrg, emailAddress = some@email.com, CN = thedomain.com
issuer=CN = my.root
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2241 bytes and written 373 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DC5712A2DC5A9448CC03F272BEB01ABB1BE1A0802013FC1D5991AEB6952B08D4
    Session-ID-ctx: 
    Resumption PSK: DB6FC8EDB8B409D218DC10C2B1343955C3DB8D9200106FAC6DD373638D68EBEB716F65934AB834C17F836A9CC2A63238
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ed cc a9 c8 1d 36 85 25-dd 43 0f 9b 8d 3d b2 5c   .....6.%.C...=.\
    0010 - 78 89 dd 1f 9c c2 b2 b1-fb fd 17 23 64 89 a5 6a   x..........#d..j
    0020 - 48 25 dd 99 c9 8a d6 96-76 66 57 15 9e 6d 1d 1a   H%......vfW..m..
    0030 - 9e 2c cd 71 dc 58 c4 76-8c c0 40 8d a7 f3 01 d9   .,.q.X.v..@.....
    0040 - b5 46 20 53 6a ae 0f 05-66 24 0e c2 00 42 82 51   .F Sj...f$...B.Q
    0050 - 7f b1 8f a5 f6 0d 2c 94-32 de ad a8 e5 a1 a3 8e   ......,.2.......
    0060 - 2c 21 bd 26 8b 8e 90 ea-bd c3 cc c4 aa 13 eb 25   ,!.&...........%
    0070 - ca 9e 2c 95 93 db 05 99-5f 5b 46 74 16 19 89 9a   ..,....._[Ft....
    0080 - c3 61 20 c4 4e 27 f0 9f-48 e3 d2 3c 44 88 9b 0a   .a .N'..H..<D...
    0090 - 62 46 2f 1f b9 39 29 13-da a0 73 9f 9f d4 43 a9   bF/..9)...s...C.
    00a0 - 63 a0 e2 7b ad e8 f3 3a-f8 a4 4b ec ab ec 47 b4   c..{...:..K...G.
    00b0 - de ad df cb 0b 85 9d 1f-3d 14 79 d4 2d 2b 5f dd   ........=.y.-+_.
    00c0 - 2c d6 fc 39 fe 49 4a ca-27 c2 92 d3 66 58 29 54   ,..9.IJ.'...fX)T

    Start Time: 1725016440
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F9A7469D4C8F955C5F7F0153E53A1412E9A22BC234A74810DF401AF682DC97FD
    Session-ID-ctx: 
    Resumption PSK: 38A585DD58BD951B8A174C601960BF9E3A4A13295FFBBC0C62490194C74B47552340D684B7355ABD9A8CC8100CCA68D6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ed cc a9 c8 1d 36 85 25-dd 43 0f 9b 8d 3d b2 5c   .....6.%.C...=.\
    0010 - cf 77 91 34 f2 81 93 eb-f3 73 3c 91 cd 77 ef 63   .w.4.....s<..w.c
    0020 - e4 fa 7e fb 4a 8f 93 29-fa d4 31 1d d6 96 01 f4   ..~.J..)..1.....
    0030 - e2 b4 f7 81 c5 fa e8 89-c4 fa 50 57 1b 52 24 b2   ..........PW.R$.
    0040 - 5e 08 0e e4 fb 31 2a f8-bd 47 8e c3 b4 a2 1a e6   ^....1*..G......
    0050 - 07 d6 3c 57 1f 37 d0 20-c5 ee 96 f2 ec 56 de 28   ..<W.7. .....V.(
    0060 - 81 fb f2 97 0b 5b 09 00-35 82 a6 a1 9b cd 9d fd   .....[..5.......
    0070 - d3 54 d7 c5 86 c8 0c 26-f1 f9 82 35 cd 3d e2 11   .T.....&...5.=..
    0080 - e2 07 50 82 c2 79 6b 56-c5 f7 65 c3 98 0f 18 6a   ..P..ykV..e....j
    0090 - 6b c8 34 5a cf a1 8f b1-e2 6f c9 b2 a1 72 ff f9   k.4Z.....o...r..
    00a0 - cc 64 ff e9 8d 09 06 29-1d 1e 1d ae f7 48 5a b8   .d.....).....HZ.
    00b0 - 23 a8 20 ec aa 4f 17 51-ce 99 76 55 06 e6 12 ba   #. ..O.Q..vU....
    00c0 - b1 ae 10 cf b8 99 b3 63-66 a9 17 36 ba d6 29 82   .......cf..6..).

    Start Time: 1725016440
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Used certificates
Cert.zip

DorisJeanParish
DorisJeanParish approved these changes Oct 27, 2024
View reviewed changes
Copy link

@DorisJeanParish DorisJeanParish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Williejeromeparishjr1982 Id:049921093

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DorisJeanParish DorisJeanParish DorisJeanParish approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheMadius @DorisJeanParish