Skip to content

Commit

Permalink
federator: Expect a client certificate to be the certificate chain (#…
Browse files Browse the repository at this point in the history 
…4092)

Without this openssl doesn't forward to whole chain causing mTLS to not succeed.

Backport of #4089
  • Loading branch information
@akshaymankar
akshaymankar authored Jun 17, 2024
1 parent 9d22b0c commit a47ddaa
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
3 changes: 3 additions & 0 deletions changelog.d/3-bug-fixes/federator-client-cert-chain
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
federator: Expect a client certificate to be the certificate chain

Without this openssl doesn't forward to whole chain causing mTLS to not succeed.
2 changes: 1 addition & 1 deletion services/federator/src/Federator/Monitor/Internal.hs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ mkSSLContext settings = do
ctx <- mkSSLContextWithoutCert settings

Polysemy.fromExceptionVia @SomeException (InvalidClientCertificate . displayException) $
SSL.contextSetCertificateFile ctx (clientCertificate settings)
SSL.contextSetCertificateChainFile ctx (clientCertificate settings)

Polysemy.fromExceptionVia @SomeException (InvalidClientPrivateKey . displayException) $
SSL.contextSetPrivateKeyFile ctx (clientPrivateKey settings)
Expand Down

0 comments on commit a47ddaa

Please sign in to comment.