From 8e4619c73b320e2e539a17a9eb459acf0514533a Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 23 Jan 2025 15:12:44 -0700 Subject: Fix regression that prevented sending intermediate client certificates The change from the GNUTLS backend to the OpenSSL backend only loads the first certificate from a client certificate file. As a result it is no longer possible to send intermediate client certificates to the server to assist in certificate verification. Instead call ssl_ctx_use_certificate_chain_file so intermediate certificates can be sent. Signed-off-by: Sam Hartman --- methods/connect.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'methods/connect.cc') diff --git a/methods/connect.cc b/methods/connect.cc index 484b574d8..96c169e79 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -968,7 +968,7 @@ static SSL_CTX *GetContextForHost(std::string const &host, aptConfigWrapperForMe // Client certificate setup, such that clients can authenticate to the server if (auto const cert = OwnerConf->ConfigFind("SslCert", ""); not cert.empty()) - if (auto res = SSL_CTX_use_certificate_file(ctx, cert.c_str(), SSL_FILETYPE_PEM); res != 1) + if (auto res = SSL_CTX_use_certificate_chain_file(ctx, cert.c_str()); res != 1) return null_error("Could not load client certificate (%s, SslCert option): %s", cert.c_str(), ssl_strerr()); if (auto const key = OwnerConf->ConfigFind("SslKey", ""); not key.empty()) if (auto res = SSL_CTX_use_PrivateKey_file(ctx, key.c_str(), SSL_FILETYPE_PEM); res != 1) -- cgit v1.2.3-70-g09d2