Opened 7 years ago

Closed 4 years ago

#4573 closed defect (fixed)

Consider using SSL_CTX_use_certificate_chain_file in module-webif-lib.c

Reported by: delilah23 Owned by: WIDI RISTIANTO
Priority: trivial Component: Webinterface
Severity: low Keywords: ssl
Cc: Sensitive: no

Description

Revision

11350

Issue Description

Oscam webif won't send out a complete cert chain to the browser when using SSL webif

When the issue occurs

It occours when a cert is used that needs to send out an intermediate cert to give the browser the possibility to check the complete cert chain.

How the issue is reproducable

use a typical intermediate signed cert, f.i. given out from Let's Encrypt.

I attached a (trivial) patch which would solve this issue. The given pem file is searched for a complete cert chain, which is sent out to the client then.

Attachments (1)

ssl_chain.patch (434 bytes ) - added by delilah23 7 years ago.

Download all attachments as: .zip

Change History (8)

by delilah23, 7 years ago

Attachment: ssl_chain.patch added

comment:1 by WIDI RISTIANTO, 7 years ago

Owner: set to WIDI RISTIANTO
Status: newassigned

comment:2 by xeonpj, 7 years ago

Hi friend, I try to apply the patch but it still does not work chain.pem from let's encrypt.

comment:3 by delilah23, 7 years ago

@xeonpj You have to use fullchain.pem (including 2 certificates in one file) - chain.pem does only include the intermediate cert not the issued client cert itself.

comment:4 by xeonpj, 7 years ago

patch aplicated to oscam r11390:

error of console, SSL not working:

1993090144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
1993090144:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:635:

rute: /etc/letsencrypt/live/URL_DNS/fullchain.pem

comment:5 by delilah23, 6 years ago

Well, you have to

cat /etc/letsencrypt/live/<domainname>/privkey.pem > /etc/oscam/oscam.pem
cat /etc/letsencrypt/live/<domainname>/fullchain.pem >> /etc/oscam/oscam.pem

(depending on where your Oscam Config lives, /etc/oscam in my case)

This copies private key and cert chain to oscam.pem.

You have to repeat this, every time certbot regenerates the certificate with a new one.
For security reasons, oscam.pem should only be readable by oscam process.

In oscam.conf shoud be a

httpcert                      = /etc/oscam/oscam.pem

Oscam expects cert and private key in just one file.

comment:6 by xeonpj, 6 years ago

thanks friend, I have tried what you say, it still does not work. I have tested the certificate on the apache web server that I have on the same machine and it works perfectly.

I have verified that the oscam.pem file is generated correctly.

the patch indicated must be applied? Yes or no?

I do not know what else to do....:(


oscam version:

Unix starttime: 1508173676
Starttime: 16.10.2017 19:07:56
Version: oscam-1.20-unstable_svn-r11384
Compiler: x86_64-linux-gnu-ssl
Box type: generic (generic)
PID: 1386
TempDir: /tmp/.oscam
ConfigDir: /usr/local/etc/
WebifPort: 1010

GBox tmp_dir: not defined using: /tmp/.oscam

value read during start up, not refreshed if changed later in webif!

Web interface support: yes
LiveLog support: yes
jQuery support intern: yes
Touch interface support: no
SSL support: yes
DVB API support: no
Irdeto guessing: no
Anti-cascading support: yes
Debug mode: no
Monitor: no
Loadbalancing support: yes
Cache exchange support: yes
CW Cycle Check support: yes
LCD support: no
LED support: no
Clockfix with realtime clock: yes
IPv6 support: no


VPS server ubuntu x64 16

thanks!!!!

Version 1, edited 6 years ago by xeonpj (previous) (next) (diff)

comment:7 by felixka, 4 years ago

Resolution: fixed
Status: assignedclosed

fixed -> r11570

Note: See TracTickets for help on using tickets.