search

MediaBrowser / SocketHttpListener

A standalone HttpListener with support for SSL, WebSockets and Mono
MIT License
42 stars 14 forks source link

Support for sending an SSL certificate chain #13

Open lwfitzgerald opened 8 years ago

lwfitzgerald commented 8 years ago

I've recently switched to using certificates from LetsEncrypt which are signed by their intermediate CA which is itself cross-signed by a browser-accepted root CA: image (screenshot of certificate chain sent by Apache)

Because the intermediate CA certificate is not in the trust stores of any browsers it must be included in the certificate chain sent by the server.

Even if I include both certificates in the PKCS12 file, only the first is sent to any clients: image

sp00x commented 7 years ago

Is there any progress being done on this, or will it be addressed?

I've tried bundling my certs ala

copy mydomain.crt + bundle.crt all.crt
openssl pkcs12 -in all.crt -inkey mydomain.key -export -out all.pfx

(with no password)

then 

var server = new SocketHttpListener.Net.HttpListener(new X509Certificate2(@"C:\Temp\cert\all.pfx", ""))

and this works fine in Chrome, but it fails in CURL and other tools because they "can't verify the local issuer certificate"

CURL:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

(Running with -k obviously works)

Checking it with openssl - openssl s_client -connect mydomain:8013 - gives:

CONNECTED(00000194)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=MYDOMAINHERE
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---

It works fine in Chrome, but I guess it just has a bunch of certs built in.

Hm, I suspect this is related to star certs.. ours is a *.domain.tld and curl doesn't like it even with the production system running nginx and other magic elsewhere..

LukePulverenti commented 7 years ago

Right now we are waiting for the mono 4.8 release and will re-evaluate after we've tested the revamped TLS support based on Google BoringSSL:

http://www.mono-project.com/docs/about-mono/releases/4.8.0/

Please note, it is not our intention with this library to any kind of SSL support that mono is missing natively, although pull request enhancements would be welcome.