mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: be stricter about chain error

Browse Source 
The error check on certificate chain was ignoring all decoding error,
silently ignoring some errors.

This patch fixes the issue by being stricter on errors when reading the
chain, this is a change of behavior, it could break existing setup that
has a wrong chain.
This commit is contained in:
William Lallemand 2022-10-25 15:55:13 +02:00
parent a538452fa4
commit 432cd1a7f8
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl_ckch.c
View File

@ -626,14 +626,16 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
if (chain == NULL)
chain = sk_X509_new_null();
if (ca == NULL)
break;
if (!sk_X509_push(chain, ca)) {
X509_free(ca);
goto end;
break;
}
}
ret = ERR_get_error();
if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
err && *err ? *err : "", path, ERR_reason_error_string(ret));
goto end;