federator: Expect a client certificate to be the certificate chain (#…

…4089) Without this openssl doesn't forward to whole chain causing mTLS to not succeed.
wireapp · Jun 13, 2024 · 30abe72 · 30abe72
1 parent 99c4092
commit 30abe72
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/changelog.d/3-bug-fixes/federator-client-cert-chain b/changelog.d/3-bug-fixes/federator-client-cert-chain
@@ -0,0 +1,3 @@
+federator: Expect a client certificate to be the certificate chain
+
+Without this openssl doesn't forward to whole chain causing mTLS to not succeed.
diff --git a/services/federator/src/Federator/Monitor/Internal.hs b/services/federator/src/Federator/Monitor/Internal.hs
@@ -344,7 +344,7 @@ mkSSLContext settings = do
   ctx <- mkSSLContextWithoutCert settings
 
   Polysemy.fromExceptionVia @SomeException (InvalidClientCertificate . displayException) $
-    SSL.contextSetCertificateFile ctx (clientCertificate settings)
+    SSL.contextSetCertificateChainFile ctx (clientCertificate settings)
 
   Polysemy.fromExceptionVia @SomeException (InvalidClientPrivateKey . displayException) $
     SSL.contextSetPrivateKeyFile ctx (clientPrivateKey settings)