summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam Hartman <hartmans@debian.org>2025-01-23 15:12:44 -0700
committerSam Hartman <hartmans@debian.org>2025-01-23 15:24:37 -0700
commit8e4619c73b320e2e539a17a9eb459acf0514533a (patch)
tree23215f55aaece0b16f98c0223300a79c8825f657
parent76c8294463e7d148d2fe3d95ef1ac18a68631dc5 (diff)
Fix regression that prevented sending intermediate client certificates
The change from the GNUTLS backend to the OpenSSL backend only loads the first certificate from a client certificate file. As a result it is no longer possible to send intermediate client certificates to the server to assist in certificate verification. Instead call ssl_ctx_use_certificate_chain_file so intermediate certificates can be sent. Signed-off-by: Sam Hartman <hartmans@debian.org>
-rw-r--r--methods/connect.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/methods/connect.cc b/methods/connect.cc
index 484b574d8..96c169e79 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -968,7 +968,7 @@ static SSL_CTX *GetContextForHost(std::string const &host, aptConfigWrapperForMe
// Client certificate setup, such that clients can authenticate to the server
if (auto const cert = OwnerConf->ConfigFind("SslCert", ""); not cert.empty())
- if (auto res = SSL_CTX_use_certificate_file(ctx, cert.c_str(), SSL_FILETYPE_PEM); res != 1)
+ if (auto res = SSL_CTX_use_certificate_chain_file(ctx, cert.c_str()); res != 1)
return null_error("Could not load client certificate (%s, SslCert option): %s", cert.c_str(), ssl_strerr());
if (auto const key = OwnerConf->ConfigFind("SslKey", ""); not key.empty())
if (auto res = SSL_CTX_use_PrivateKey_file(ctx, key.c_str(), SSL_FILETYPE_PEM); res != 1)