Support for SSL_MODE_NO_AUTO_CHAIN
Hi all, Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN. However, in some situations, that is needed. Following is the patch we used to enable that support in our work. Please consider to add this to code repository. Thanks a lot! -------------------------------------------------------------------------------- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 10026ec..5c3d0bf 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -264,6 +264,8 @@ eap { # # include_length = yes + # enable_auto_chain = yes + # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. diff --git a/src/include/tls-h b/src/include/tls-h index a41c6f5..f4345fd 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -338,6 +338,7 @@ struct fr_tls_server_conf_t { uint32_t verify_depth; bool file_type; bool include_length; + bool enable_auto_chain; bool disable_tlsv1; bool disable_tlsv1_1; bool disable_tlsv1_2; diff --git a/src/main/tls.c b/src/main/tls.c index 9df48b4..caa8713 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = { { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, random_file), NULL }, { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" }, { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" }, + { "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, enable_auto_chain), "yes" }, { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" }, #ifdef X509_V_FLAG_CRL_CHECK_ALL { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" }, @@ -2565,6 +2566,10 @@ post_ca: #endif #endif + if (!conf->enable_auto_chain) { + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); + } + /* Set Info callback */ SSL_CTX_set_info_callback(ctx, cbtls_info); -------------------------------------------------------------------------------- -- Best Regards, Chenggang Tang | 汤承刚
Hi Chenggang, I believe that would be better to send your request through the Github https://github.com/FreeRADIUS/freeradius-server/pulls -- Jorge Pereira On Tue, Oct 20, 2015 at 4:53 AM, Chenggang Tang (chentang) < chentang@cisco.com> wrote:
Hi all,
Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN. However, in some situations, that is needed.
Following is the patch we used to enable that support in our work.
Please consider to add this to code repository.
Thanks a lot!
-------------------------------------------------------------------------------- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 10026ec..5c3d0bf 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -264,6 +264,8 @@ eap { # # include_length = yes
+ # enable_auto_chain = yes + # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. diff --git a/src/include/tls-h b/src/include/tls-h index a41c6f5..f4345fd 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -338,6 +338,7 @@ struct fr_tls_server_conf_t { uint32_t verify_depth; bool file_type; bool include_length; + bool enable_auto_chain; bool disable_tlsv1; bool disable_tlsv1_1; bool disable_tlsv1_2; diff --git a/src/main/tls.c b/src/main/tls.c index 9df48b4..caa8713 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = { { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, random_file), NULL }, { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" }, { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" }, + { "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, enable_auto_chain), "yes" }, { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" }, #ifdef X509_V_FLAG_CRL_CHECK_ALL { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" }, @@ -2565,6 +2566,10 @@ post_ca: #endif #endif
+ if (!conf->enable_auto_chain) { + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); + } + /* Set Info callback */ SSL_CTX_set_info_callback(ctx, cbtls_info);
--------------------------------------------------------------------------------
-- Best Regards, Chenggang Tang | 汤承刚
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Hi Jorge,
Thanks for your suggestion!
And thank Alan DeKok for the fix
https://github.com/FreeRADIUS/freeradius-server/commit/e60a9543a03152b77a5cdb15f681726564537482
So now this problem is fixed.
--
Best Regards,
Chenggang Tang | 汤承刚
On 10/20/15, 21:00, "Freeradius-Devel on behalf of Jorge Pereira" <freeradius-devel-bounces+chentang=cisco.com@lists.freeradius.org on behalf of jpereiran@gmail.com> wrote:
>Hi Chenggang,
>
>I believe that would be better to send your request through the Github
>https://github.com/FreeRADIUS/freeradius-server/pulls
>
>--
>Jorge Pereira
>
>On Tue, Oct 20, 2015 at 4:53 AM, Chenggang Tang (chentang) <
>chentang@cisco.com> wrote:
>
>> Hi all,
>>
>> Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN.
>> However, in some situations, that is needed.
>>
>> Following is the patch we used to enable that support in our work.
>>
>> Please consider to add this to code repository.
>>
>> Thanks a lot!
>>
>>
>>
>> --------------------------------------------------------------------------------
>> diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
>> index 10026ec..5c3d0bf 100644
>> --- a/raddb/mods-available/eap
>> +++ b/raddb/mods-available/eap
>> @@ -264,6 +264,8 @@ eap {
>> #
>> # include_length = yes
>>
>> + # enable_auto_chain = yes
>> +
>> # Check the Certificate Revocation List
>> #
>> # 1) Copy CA certificates and CRLs to same directory.
>> diff --git a/src/include/tls-h b/src/include/tls-h
>> index a41c6f5..f4345fd 100644
>> --- a/src/include/tls-h
>> +++ b/src/include/tls-h
>> @@ -338,6 +338,7 @@ struct fr_tls_server_conf_t {
>> uint32_t verify_depth;
>> bool file_type;
>> bool include_length;
>> + bool enable_auto_chain;
>> bool disable_tlsv1;
>> bool disable_tlsv1_1;
>> bool disable_tlsv1_2;
>> diff --git a/src/main/tls.c b/src/main/tls.c
>> index 9df48b4..caa8713 100644
>> --- a/src/main/tls.c
>> +++ b/src/main/tls.c
>> @@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = {
>> { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING,
>> fr_tls_server_conf_t, random_file), NULL },
>> { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER,
>> fr_tls_server_conf_t, fragment_size), "1024" },
>> { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, include_length), "yes" },
>> + { "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, enable_auto_chain), "yes" },
>> { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, check_crl), "no" },
>> #ifdef X509_V_FLAG_CRL_CHECK_ALL
>> { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, check_all_crl), "no" },
>> @@ -2565,6 +2566,10 @@ post_ca:
>> #endif
>> #endif
>>
>> + if (!conf->enable_auto_chain) {
>> + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
>> + }
>> +
>> /* Set Info callback */
>> SSL_CTX_set_info_callback(ctx, cbtls_info);
>>
>>
>>
>> --------------------------------------------------------------------------------
>>
>> --
>> Best Regards,
>> Chenggang Tang | 汤承刚
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/devel.html
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (2)
-
Chenggang Tang (chentang) -
Jorge Pereira