Web Interface SSL Support - certificate chains

[sphere]

Hi,

I have an issue that is not exactly a bug, but a missing feature.

In order to work correctly with some "official" (non-selfsigned) certificates, it can be necessary to provide the client with a set of intermediary CAs. This can't be configured in SABnzbd currently. It would require an equivalent to Apache's SSLCertificateChainFile Directive, see:

http://httpd.apache.org/docs/2.2/mod/mo ... echainfile

With that option, you could configure sab to use a free certificate from http://cert.startcom.org/ that is trusted by many current web browsers.

Regards,
sphere


Version: 0.5.0 beta 5
OS: Windows 7
Install type: Windows ZIP
reproducible: yes

[shypike]

Good idea. I must check if our internal webserver (CherryPy) supports this at all.
It won't make it into 0.5.0 Final.
Ticket: https://trac2.assembla.com/SABnzbd/ticket/368

[sphere]

great, thanks for picking up my suggestion.

and thanks for this great software project!

[sphere]

Just looked the issue up in CheryPy's documentation. It says:

In addition, the pyOpenSSL adapter sports a new context configuration method, which you can set to an instance of SSL.Context for more advanced settings. See the pyOpenSSL documentation for all the options. It also accepts a certificate_chain argument, the filename of CA's intermediate certificate bundle. This is needed for cheaper "chained root" SSL certificates, and should be left as None if not required.

[shypike]

Not sure if that's in the CherryPy release that we use.
Their 3.2.0RC1 release is (again) so incompatible with previous ones,
that we cannot use it yet.

[Blinkiz]

If it's possible to vote for a feature, my vote is on this one.

Searched the forum for chain support and found this one..