TlsConnector adds certificate chain from PKCS12 identity in reverse order #110
Comments
|
What order are the certificates stored in the PKCS12 file? |
|
If I dump it with keytool the order is correct: It also works fine with Java TLS client or for example with openssl s_client command when exported into pem file (openssl pkcs12 -in identity.p12 -out server.pem -nodes) and the pem file has it listed in proper order as well: [private key, leaf, intermediate, root]. |
sfackler
added a commit
that referenced
this issue
Oct 22, 2018
The stack is the reverse of what you might expect due to the way PKCS12_parse is implemented, so we need to load it backwards. Closes #110
|
#111 should fix this - could you try it out to confirm? |
I think it's only implemented for TlsAcceptor in this PR, should be also changed for TlsConnector. When I change it manually it works, yes. |
|
Great! I'll cut a release with the fix this morning. |
sfackler
added a commit
that referenced
this issue
Oct 22, 2018
The stack is the reverse of what you might expect due to the way PKCS12_parse is implemented, so we need to load it backwards. Closes #110
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using native-tls 0.2.1 on Linux (openssl).
When building TlsConnector with pkcs12 identity which contains 3 certificates: [leaf, intermediate, root] the intermediate and root certificates are sent to the server peer in reverse order [leaf, root, intermediate] resulting in handshake errors (in particular the javax.net.ssl.SSLException: subject/issuer name chaining check failed).
The text was updated successfully, but these errors were encountered: