deluge-web SSL w/ Comodo certificates

[Cas]

This is a support forum so lack of topics actually suggests no-one else has run into this issue. We have a diverse userbase and so it wouod be prudent to expect a percentage to have used 3rd party certs. There is nothing in the log because we don't do anything with the certs they are passed to Openssl/Twisted and that's it.

These are the two functions for the two files (from OpenSSL docs):

SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object.

SSL_CTX_use_PrivateKey_file() adds the first private key found in file to ctx. The formatting type of the certificate must be specified from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in file to ctx. SSL_use_PrivateKey_file() adds the first private key found in file to ssl; SSL_use_RSAPrivateKey_file() adds the first private RSA key found to ssl.

[starkruzr]

So, here's the thing.

The above configuration, with the server cert first followed by the rest of the chain all the way up to the root CA, worked perfectly. Hurrah!

Here's the problem:

1) This is precisely the OPPOSITE configuration of every other service I've configured, which all put the certificate order in the opposite direction (Apache, nginx, IIS all go in the opposite direction).
2) There is nothing about the error message produced (SSL version mismatch?!) to suggest that this is what the problem is.
3) Nowhere is this certificate order documented in Deluge's docs.
4) Nowhere is it even documented that Deluge uses so-and-so SSL system, and so you should go there to figure out issues with SSL.

Couldn't we have fixed this much earlier with this information?

ETA: I would edit the Wiki myself, but the registration system appears to be broken:

[Cas]

I'm afraid I don't believe the order of other services are any different (unless they reorder it themselves) because the TLS spec specifies that order so it is how all SSL implementations work: http://webmasters.stackexchange.com/a/28074

certificate_list

This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

Deluge use of OpenSSL is documented but as referenced above is not relevant as it follows the TLS spec.

The error ERR_SSL_VERSION_OR_CIPHER_MISMATCH did not directly point to the issue however it heavily pointed to a certificate problem and I suggested many times that there was a problem with how the certs were created. Had you searched and verified on how to chain the certificates then you would have found that the order matters. e.g. http://blog.edgecloud.com/post/19519955 ... er-matters

It is not relevant to Deluge to document certificate usage as it is not specific to our project.