From 30abe72f2fb20407a66b09bea234044f5fc40955 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Thu, 13 Jun 2024 08:59:26 +0200 Subject: [PATCH] federator: Expect a client certificate to be the certificate chain (#4089) Without this openssl doesn't forward to whole chain causing mTLS to not succeed. --- changelog.d/3-bug-fixes/federator-client-cert-chain | 3 +++ services/federator/src/Federator/Monitor/Internal.hs | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changelog.d/3-bug-fixes/federator-client-cert-chain diff --git a/changelog.d/3-bug-fixes/federator-client-cert-chain b/changelog.d/3-bug-fixes/federator-client-cert-chain new file mode 100644 index 00000000000..b05a5385ef6 --- /dev/null +++ b/changelog.d/3-bug-fixes/federator-client-cert-chain @@ -0,0 +1,3 @@ +federator: Expect a client certificate to be the certificate chain + +Without this openssl doesn't forward to whole chain causing mTLS to not succeed. \ No newline at end of file diff --git a/services/federator/src/Federator/Monitor/Internal.hs b/services/federator/src/Federator/Monitor/Internal.hs index 1b6b74f84d1..d731858cacc 100644 --- a/services/federator/src/Federator/Monitor/Internal.hs +++ b/services/federator/src/Federator/Monitor/Internal.hs @@ -344,7 +344,7 @@ mkSSLContext settings = do ctx <- mkSSLContextWithoutCert settings Polysemy.fromExceptionVia @SomeException (InvalidClientCertificate . displayException) $ - SSL.contextSetCertificateFile ctx (clientCertificate settings) + SSL.contextSetCertificateChainFile ctx (clientCertificate settings) Polysemy.fromExceptionVia @SomeException (InvalidClientPrivateKey . displayException) $ SSL.contextSetPrivateKeyFile ctx (clientPrivateKey settings)