mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: check private key consistency in loading

Browse Source 
Load a PEM certificate and use it in CTX are now decorrelated.
Checking the certificate and private key consistency can be done
earlier: in loading phase instead CTX set phase.
This commit is contained in:
Emmanuel Hocdet 2019-07-30 14:21:25 +02:00 committed by William Lallemand
parent 1c65fdd50e
commit 03e09f3818
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/ssl_sock.c
View File

@ -2992,6 +2992,12 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, struct cert_key_an
goto end; goto end;
} }
if (!X509_check_private_key(ckch->cert, ckch->key)) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
err && *err ? *err : "", path);
goto end;
}
/* Read Certificate Chain */ /* Read Certificate Chain */
ckch->chain = sk_X509_new_null(); ckch->chain = sk_X509_new_null();
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)))
@ -3064,12 +3070,6 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
} }
#endif #endif
if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
/* store a NULL pointer to indicate we have not yet loaded /* store a NULL pointer to indicate we have not yet loaded
a custom DH param file */ a custom DH param file */