[hunchentoot-devel] Chained SSL-certificates support
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance.
Semion, can you please supply us with a minimal test case and pointers to the certificate files that you have tried? Thanks, Hans On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
The code is very simple. ;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code (make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port)) 2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote: there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
forgot to attach certificates. here. 2010/9/1 Semion Prihodko <semion.ababo@gmail.com>
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote: there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Please post links to the certificates, too. Thanks. On Wed, Sep 1, 2010 at 13:58, Semion Prihodko <semion.ababo@gmail.com> wrote:
The code is very simple. ;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code (make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I have sent them to u. 2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Please post links to the certificates, too. Thanks.
The code is very simple. ;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code (make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote:
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out
On Wed, Sep 1, 2010 at 13:58, Semion Prihodko <semion.ababo@gmail.com> wrote: that
not all the browsers accept it. After a little research I found out that there is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
Hi Semion, you can put all your certificates in one file, first root, then intermediate, then your site. It should work that way Best regargs, Vsevolod On Wed, Sep 1, 2010 at 2:58 PM, Semion Prihodko <semion.ababo@gmail.com>wrote:
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote: there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I just checked and the "chain" stuff seems to be available in LispWorks as well: http://www.lispworks.com/documentation/lw60/LW/html/lw-442.htm As Semion mentioned the existence of such a function in CL+SSL, it looks like it should be possible to support chained certificates in Hunchentoot in a portable way (meaning LW and the rest). So, if someone wants to send a patch... Edi.
No, in that case I get ERR_SSL_PROTOCOL_ERROR 2010/9/1 Vsevolod Dyomkin <vseloved@gmail.com>
Hi Semion,
you can put all your certificates in one file, first root, then intermediate, then your site. It should work that way
Best regargs, Vsevolod
On Wed, Sep 1, 2010 at 2:58 PM, Semion Prihodko <semion.ababo@gmail.com>wrote:
The code is very simple.
;; begin of new code (cl+ssl:reload) (cl+ssl:use-certificate-chain-file "mysite.cer") ; my site (cl+ssl:use-certificate-chain-file "geotrust.cer") ; intermediate (cl+ssl:use-certificate-chain-file "geotrust+.cer") ; root ;; end of new code
(make-instance 'ssl-acceptor :ssl-certificate-file (car ssl-security) :ssl-privatekey-file (cdr ssl-security) :port (get-config-value :website-port))
2010/9/1 Hans Hübner <hans.huebner@gmail.com>
Semion,
can you please supply us with a minimal test case and pointers to the certificate files that you have tried?
Thanks, Hans
Hi guys, I built a website which runs on Hunchentoot. Now it's time to buy ssl-certificate. When I downloaded QuickSSL Trial cert I found out that not all the browsers accept it. After a little research I found out that
On Wed, Sep 1, 2010 at 12:40, Semion Prihodko <semion.ababo@gmail.com> wrote: there
is another certificate must be installed. This means it's a "chain root certificate", not a "single root". But it seems Hunchentoot has no capability to work with chained certificates. CL+SSL has an interesting function called USE-CERTIFICATE-CHAIN-FILE, but when I use it before creation of my ssl-acceptor the second doesn't respond to browsers. What can I do in order to fix this issue? Thanks in advance. _______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I'm not familiar with chained certificates. How would you use your certificate with Apache for example? Edi.
Hmm, probably like this: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcertificatechainfile On Wed, Sep 1, 2010 at 2:08 PM, Edi Weitz <edi@agharta.de> wrote:
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
I think Apache supports adding one additional certificate. To do that you must add the following line: *SSLCACertificateFile* cert_filename in configuration file. 2010/9/1 Edi Weitz <edi@agharta.de>
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
I use: SSLCertificateFile /usr/local/etc/apache22/certs/billstclair.com.crt SSLCertificateChainFile /usr/local/etc/apache22/certs/gd_bundle.crt SSLCertificateKeyFile /usr/local/etc/apache22/certs/billstclair.com.key billstclair.com.crt contains my certificate, signed by the GoDaddy CA. gd_bundle.crt contains the GoDaddy CA certificate and another CA certificate that signs it. -Bill On Wed, Sep 1, 2010 at 9:14 AM, Semion Prihodko <semion.ababo@gmail.com> wrote:
I think Apache supports adding one additional certificate. To do that you must add the following line: SSLCACertificateFile cert_filename in configuration file.
2010/9/1 Edi Weitz <edi@agharta.de>
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design. 2010/9/1 Bill St. Clair <billstclair@gmail.com>
I use:
SSLCertificateFile /usr/local/etc/apache22/certs/billstclair.com.crt SSLCertificateChainFile /usr/local/etc/apache22/certs/gd_bundle.crt SSLCertificateKeyFile /usr/local/etc/apache22/certs/billstclair.com.key
billstclair.com.crt contains my certificate, signed by the GoDaddy CA. gd_bundle.crt contains the GoDaddy CA certificate and another CA certificate that signs it.
-Bill
On Wed, Sep 1, 2010 at 9:14 AM, Semion Prihodko <semion.ababo@gmail.com> wrote:
I think Apache supports adding one additional certificate. To do that you must add the following line: SSLCACertificateFile cert_filename in configuration file.
2010/9/1 Edi Weitz <edi@agharta.de>
I'm not familiar with chained certificates. How would you use your certificate with Apache for example?
Edi.
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Wed, Sep 1, 2010 at 16:46, Semion Prihodko <semion.ababo@gmail.com> wrote:
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
We're sorry to hear that Hunchentoot does not meet your requirements. We implemented the features that we need, and chained certificate support was not required by us. You are welcome to send a patch. We can also offer paid support. http://weitz.de/patches.html -Hans
Actually I think that Hunchentoot is a great webserver, so don't take it to heart. And I very appreciate what you all guys do. By the way the issue is solved - no patch needed. The problem was in documentation of CL+SSL:USE-CERTIFICATE-CHAIN-FILE which was not clear. After reading the appropriate OpenSSL call reference I understood that it's needed to add only a single file. In that file I need to place 2 certificates (in pem format): the website's and the following intermediate CA's. Now it's working. Thanks a lot. 2010/9/1 Hans Hübner <hans.huebner@gmail.com>
This is really a problem, because most of certificates that can be
On Wed, Sep 1, 2010 at 16:46, Semion Prihodko <semion.ababo@gmail.com> wrote: purchased
use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
We're sorry to hear that Hunchentoot does not meet your requirements. We implemented the features that we need, and chained certificate support was not required by us. You are welcome to send a patch. We can also offer paid support.
-Hans
_______________________________________________ tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel
On Wed, Sep 1, 2010 at 4:46 PM, Semion Prihodko <semion.ababo@gmail.com> wrote:
This is really a problem, because most of certificates that can be purchased use intermediate root certificate... really don't understand why this issue was not taken into consideration in Hunchentoot design.
This is the way open source software works. Some hackers write code they need and give it away for free, others add features they deem worthwhile, and so on. If you need something that's not in there, add it yourself or pay someone to do it for you. The general rule is: You get what you paid for... Edi.
Hi, I had a similar problem some time ago but no time to investigate. I think the chain cert must be provided at a separate place in the SSL handshake. There's a special openssl function and it seems to be exported in cl+ssl: | CL+SSL:USE-CERTIFICATE-CHAIN-FILE (certificate-chain-file) | | Loads a PEM encoded certificate chain file certificate-chain-file and | adds the chain to global context. The certificates must be sorted | starting with the subject's certificate (actual client or server | certificate), followed by intermediate CA certificates if applicable, | and ending at the highest level (root) CA. So its probably not very hard. There was also a patch available somewhere online but it didn't work for me back then. HTH, Steffen
participants (6)
-
Bill St. Clair -
Edi Weitz -
Hans Hübner -
Semion Prihodko -
Steffen Schulz -
Vsevolod Dyomkin