use temporary file for validation of cert chain because the PHP may not be able to access apache's cert chain directory
Bernd Wurst commited on 2012-03-19 13:39:19
Zeige 1 geänderte Dateien mit 14 Einfügungen und 3 Löschungen.
- modules/vhosts/include/certs.php d1a10bf..bce503b
| ... | ... |
@@ -136,13 +136,24 @@ function validate_certificate($cert, $key) |
| 136 | 136 |
} |
| 137 | 137 |
|
| 138 | 138 |
$cacerts = array('/etc/ssl/certs');
|
| 139 |
- $chain = get_chain($cert); |
|
| 139 |
+ $chain = (int) get_chain($cert); |
|
| 140 | 140 |
if ($chain) |
| 141 | 141 |
{
|
| 142 |
- $cacerts[] = '/etc/apache2/certs/chains/'.$chain.'.pem'; |
|
| 142 |
+ $result = db_query("SELECT content FROM vhosts.certchain WHERE id={$chain}");
|
|
| 143 |
+ $tmp = mysql_fetch_assoc($result); |
|
| 144 |
+ $chaincert = $tmp['content']; |
|
| 145 |
+ $chainfile = tempnam(sys_get_temp_dir(), 'webinterface'); |
|
| 146 |
+ $f = fopen($chainfile, "w"); |
|
| 147 |
+ fwrite($f, $chaincert); |
|
| 148 |
+ fclose($f); |
|
| 149 |
+ $cacerts[] = $chainfile; |
|
| 143 | 150 |
} |
| 144 | 151 |
|
| 145 |
- if (openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER, $cacerts) !== true) |
|
| 152 |
+ $valid = openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER, $cacerts); |
|
| 153 |
+ if ($chain) {
|
|
| 154 |
+ unlink($chainfile); |
|
| 155 |
+ } |
|
| 156 |
+ if ($valid !== true) |
|
| 146 | 157 |
{
|
| 147 | 158 |
DEBUG('certificate was not validated as a server certificate with the available chain');
|
| 148 | 159 |
return CERT_NOCHAIN; |
| 149 | 160 |