Correctly load certificate chains into OpenSSL

Fix a longstanding bug where we were only loading the first (i.e. the leaf) certificate from any PEM file supplied by the user, this works in a lot of cases because most certificates are issued directly by trusted roots (LetsEncrypt for example), but chains that require an intermediate are by no means uncommon.
tiny-http · Feb 25, 2022 · 876efd6 · 876efd6
1 parent a9823f2
commit 876efd6
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/src/ssl/openssl.rs b/src/ssl/openssl.rs
@@ -74,8 +74,15 @@ impl OpenSslContext {
 
         let mut ctx = openssl::ssl::SslContext::builder(ssl::SslMethod::tls())?;
         ctx.set_cipher_list("DEFAULT")?;
-        let cert = X509::from_pem(&certificates)?;
-        ctx.set_certificate(&cert)?;
+        let certificate_chain = X509::stack_from_pem(&certificates)?;
+        if certificate_chain.is_empty() {
+            return Err("Couldn't extract certificate chain from config.".into());
+        }
+        // The leaf certificate must always be first in the PEM file
+        ctx.set_certificate(&certificate_chain[0])?;
+        for chain_cert in certificate_chain.into_iter().skip(1) {
+            ctx.add_extra_chain_cert(chain_cert)?;
+        }
         let key = PKey::private_key_from_pem(&private_key)?;
         ctx.set_private_key(&key)?;
         ctx.set_verify(SslVerifyMode::NONE);