ports/129681: SSL patch for net-im/ejabberd
Petr Holub
hopet at ics.muni.cz
Tue Dec 16 15:00:16 UTC 2008
>Number: 129681
>Category: ports
>Synopsis: SSL patch for net-im/ejabberd
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 16 15:00:15 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Petr Holub
>Release: FreeBSD 7.0-RELEASE i386
>Organization:
Masaryk University
>Environment:
System: FreeBSD arwen.ics.muni.cz 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Apr 13 20:28:04 CEST 2008 toor at arwen.ics.muni.cz:/usr/obj/usr/src/sys/ARWEN i386
>Description:
ejabber server is unable to present CA certificate chain to the
client and thus clients get Unknown CA error unless it has it installed
locally (or unless ignoring SSL problems). With this patch, it is
possible to put also CA certificate into the PEM file (together with
server key and server certificate) and CA certificate is presented
to the client.
More information see
http://hyperstruct.net/2007/6/20/installing-the-startcom-ssl-certificate-in-ejabberd
>How-To-Repeat:
cat serverkey.pem servercert.pem CAcert.pem >server.pem
Prior to this patch, Psi client needs to have CA cerficate locally.
Now it can be provided from the ejabber server.
>Fix:
--- patch-src::tls::tls_drv.c begins here ---
--- src/tls/tls_drv.c.orig 2008-12-16 13:04:21.000000000 +0100
+++ src/tls/tls_drv.c 2008-12-16 13:05:29.000000000 +0100
@@ -108,7 +108,7 @@
d->ctx = SSL_CTX_new(SSLv23_method());
die_unless(d->ctx, "SSL_CTX_new failed");
- res = SSL_CTX_use_certificate_file(d->ctx, buf, SSL_FILETYPE_PEM);
+ res = SSL_CTX_use_certificate_chain_file(d->ctx, buf);
die_unless(res > 0, "SSL_CTX_use_certificate_file failed");
res = SSL_CTX_use_PrivateKey_file(d->ctx, buf, SSL_FILETYPE_PEM);
--- patch-src::tls::tls_drv.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list