Commits on Jun 20, 2023

1. process certificate chains presented by the client …

   Similar to Icinga#8859 this patch works
   around Icinga#7719 by allowing the
   intermediate certificate presented by the icinga2-agent.
   
   To make this work the icinga2-master only holds to root-ca in its local
   ca.crt, while the icinga2-agent has the intermediate-cert in its local
   ca.crt (or the intermediate together with the root in the ca.crt / or
   the intermediate in the cert.pem - doesn't matter).

   

   sircubbi committed Jun 20, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for f06672c
   • Browse repository at this point

   Copy the full SHA

   f06672c View commit details

   Browse the repository at this point in the history

2. try to allow certificate-chains …

   Currently the verification of certificates uses only the first pem in
   the ca-file and the first pem in the certificate-file. This breaks if an
   intermediate certificate is needed.
   
   A simple workaround is to put the full chain into the ca-file and give
   the ca-file instead of the X509-structure to the VerifyCertificate()
   methode. There we can just do the usual business but add the full
   ca-file again to OpenSSLs SSL_CTX_load_verify_locations().
   
   While this seems a little bit hackish it should at least allow the
   proper verification of a certificate chain without introducing any
   security implications for setups with just a single root-ca.
   The only downside currently: while the CLI "pki verify" will correctly
   check the supplied parameters, it still only shows the topmost
   certificate from the ca-file (which I guess is fine for the moment).

   

   sircubbi committed Jun 20, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 80a405a
   • Browse repository at this point

   Copy the full SHA

   80a405a View commit details

   Browse the repository at this point in the history