• Alex Vandiver's avatar
    Append the intermediate chain to the "cert" parameter in Aphlict · 11f1c139
    Alex Vandiver authored
    Summary:
    Per the documentation[1], any intermediate chain is to be
    appended to the "cert" parameter.  The "ca" parameter controls the
    root CA used to authenticate the client certificate, if one is
    provided, and is not used for intermediate certificate chains -- nor
    has it ever been.  It is not clear how this could have worked in the
    past[2].
    
    [1] https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
    [2] D15709
    
    Test Plan:
    Before this diff, with node 4.2.6 from Ubuntu packages:
    ```
    $ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/
    verify depth is 5
    CONNECTED(00000003)
    depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
    ```
    
    After:
    ```
    $ openssl s_client -connect phabricator.dropboxer.net:22280 -verify 5 -CApath /etc/ssl/certs/
    verify depth is 5
    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
    verify return:1
    depth=0 C = US, ST = California, L = San Francisco, O = "Dropbox, Inc", OU = Dropbox Ops, CN = phabricator.dropboxer.net
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
     1 s:/C=US/ST=California/L=San Francisco/O=Dropbox, Inc/OU=Dropbox Ops/CN=phabricator.dropboxer.net
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
     2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    ```
    
    Reviewers: #blessed_reviewers, epriestley
    
    Reviewed By: #blessed_reviewers, epriestley
    
    Subscribers: Korvin, epriestley
    
    Differential Revision: https://secure.phabricator.com/D18181
    11f1c139
Name
Last commit
Last update
..
aphlict/server Loading commit data...
bin Loading commit data...
empty Loading commit data...
lint Loading commit data...
phame Loading commit data...
startup Loading commit data...