mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2

Browse Source 
Commit 1c65fdd5 "MINOR: ssl: add extra chain compatibility" really implement
SSL_CTX_set0_chain. Since ckch can be used to init more than one ctx with
openssl < 1.0.2 (commit 89f58073 for X509_chain_up_ref compatibility),
SSL_CTX_set1_chain compatibility is required.

This patch must be backported to 2.1.
This commit is contained in:
Emmanuel Hocdet 2019-10-24 18:33:10 +02:00 committed by William Lallemand
parent 6ab08b3fd4
commit 140b64fb56
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -3552,11 +3552,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
#else
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;
while ((ca = sk_X509_shift(ckch->chain)))
STACK_OF(X509) *chain;
chain = X509_chain_up_ref(ckch->chain);
while ((ca = sk_X509_shift(chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
X509_free(ca);
sk_X509_pop_free(chain, X509_free);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
}