Skip to content

Commit

Permalink
Fixes #36755 - Send full certificate chain to clients
Browse files Browse the repository at this point in the history
Add option SSLExtraChainCert to the Webrick webserver, so the full
certificate chain is sent to clients during the SSL handkshake.
  • Loading branch information
jpasqualetto committed Sep 20, 2023
1 parent 06092bb commit 35f97bb
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions lib/launcher.rb
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,14 @@ def https_plugins
plugins.select { |p| p[:https_enabled] }.map { |p| p[:class] }
end

# Imitate OpenSSL::X509::Certificate.load_file for openssl < 3.0.0
def load_fullchain(bundle_pem)
File.read(bundle_pem)
.lines
.slice_after(/END CERTIFICATE/)
.map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
end

def http_app(http_port, plugins = http_plugins)
return nil unless http_enabled?
app = Rack::Builder.new do
Expand All @@ -62,6 +70,10 @@ def https_app(https_port, plugins = https_plugins)
logger.error "Unable to read #{settings.ssl_ca_file}. Are the values correct in settings.yml and do permissions allow reading?"
end

unless File.readable?(settings.foreman_ssl_ca)
logger.error "Unable to read #{settings.foreman_ssl_ca}. Are the values correct in settings.yml and do permissions allow reading?"
end

app = Rack::Builder.new do
plugins.each { |p| instance_eval(p.https_rackup) }
end
Expand Down Expand Up @@ -95,6 +107,7 @@ def https_app(https_port, plugins = https_plugins)
:SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER,
:SSLPrivateKey => load_ssl_private_key(settings.ssl_private_key),
:SSLCertificate => load_ssl_certificate(settings.ssl_certificate),
:SSLExtraChainCert => load_fullchain(settings.foreman_ssl_ca),
:SSLCACertificateFile => settings.ssl_ca_file,
:SSLOptions => ssl_options,
:SSLCiphers => CIPHERS - Proxy::SETTINGS.ssl_disabled_ciphers,
Expand Down

0 comments on commit 35f97bb

Please sign in to comment.