Merging tlscertfile and tlscafile to only one TLS certificate

Julien ÉLIE julien at trigofacile.com
Sat Oct 2 07:21:38 UTC 2021 

Hi Russ, Richard and Perry,

>> A ticket has recently been opened regarding the use of tlscertfile and
>> tlscafile.  (Looks like it is easier to contact us via Github than Trac!)
>>    https://github.com/InterNetNews/inn/issues/164
> 
> I think we should support loading all the certificates in tlscertfile, and
> then, if tlscafile exists, add the certificates from it.  That should give
> us the best of both worlds: existing usage will still work, but people can
> migrate to putting the whole chain in tlscertfile.  And then if we choose
> we can deprecate tlscafile, similar to how Apache has deprecated
> SSLCertificateChainFile, which is the equivalent of our current scheme.

I've just had a look at it.
The change is straight-forward as we already call 
SSL_CTX_load_verify_locations() to look for additional certificates in 
tlscafile (which is the recommendation in OpenSSL documentation).

Suggestion follows, with updated wording in documentation (also in 
nnrpd.pod, which shares the same wording as in inn.conf.pod):


diff --git a/nnrpd/tls.c b/nnrpd/tls.c
index 3b0bc7ab..67b0841b 100644
--- a/nnrpd/tls.c
+++ b/nnrpd/tls.c
@@ -391,9 +391,8 @@ set_cert_stuff(SSL_CTX * ctx, char *cert_file, char 
*key_file)
      struct stat buf;

      if (cert_file != NULL) {
-       if (SSL_CTX_use_certificate_file(ctx, cert_file,
-                                        SSL_FILETYPE_PEM) <= 0) {
-           syslog(L_ERROR, "unable to get certificate from '%s'", 
cert_file);
+       if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
+           syslog(L_ERROR, "unable to get certificates from '%s'", 
cert_file);
             return (0);
         }
         if (key_file == NULL)
diff --git a/doc/pod/inn.conf.pod b/doc/pod/inn.conf.pod
index 85e0091b..d55af099 100644
--- a/doc/pod/inn.conf.pod
+++ b/doc/pod/inn.conf.pod
@@ -1126,9 +1126,25 @@ The path to a file containing the server 
certificate to present to
  TLS clients.  This parameter is only used if B<nnrpd> is built with 
TLS/SSL
  support.  The default value is I<pathetc>/cert.pem.

-Note that unlike Apache's I<SSLCertificateFile> directive, I<tlscertfile>
-should not contain a concatenation of certificates.  Instead, if you have
-a certificate authority root certificate, set I<tlscafile> to its path.
+If you want to use a complete certificate chain, you can directly put
+it in I<tlscertfile> (like Apache's I<SSLCertificateFile> directive).
+Alternately, you can put a single certificate in I<tlscertfile> and use
+I<tlscafile> for additional certificates needed to complete the chain,
+like a separate authority root certificate.
+
+More concretly, when using S<Let's Encrypt> certificates, Certbot's
+files can be installed as follows:
+
+    tlscapath:      <pathetc>
+    tlscafile:      <pathetc>/chain.pem
+    tlscertfile:    <pathetc>/cert.pem
+    tlskeyfile:     <pathetc>/privkey.pem
+
+or:
+
+    tlscapath:      <pathetc>
+    tlscertfile:    <pathetc>/fullchain.pem
+    tlskeyfile:     <pathetc>/privkey.pem

  =item I<tlskeyfile>

diff --git a/doc/pod/news.pod b/doc/pod/news.pod
index 8bda82c9..8477940e 100644
--- a/doc/pod/news.pod
+++ b/doc/pod/news.pod
@@ -29,6 +29,12 @@ Thanks to Richard Kettlewell for the patch.

  =item *

+The I<tlscertfile> parameter in F<inn.conf> now permits the use of
+a complete certificate chain, instead of necessarily having to use
+I<tlscafile> for additional certificates.
+
+=item *
+
  The F<inn.conf> default value for I<tlsprotocols> no longer contains
  TLS versions 1.0 and 1.1, which have been deprecated by S<RFC 8996>.



-- 
Julien ÉLIE

« Cela n'a rien de remarquable. Il suffit d'appuyer sur la bonne touche
   au bon moment et l'instrument joue tout seul. » (J.-S. Bach)

More information about the inn-workers mailing list