mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-02-03 16:31:08 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: allow duplicate certificates in ca-file directories

Browse Source 
It looks like OpenSSL 1.0.2 returns an error when trying to insert a
certificate whis is already present in a X509_STORE.

This patch simply ignores the X509_R_CERT_ALREADY_IN_HASH_TABLE error if
emitted.

Should fix part of issue #1780.

Must be backported in 2.6.
This commit is contained in:
William Lallemand 2022-07-18 18:42:52 +02:00
parent 3bda80789c
commit 4348232231
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/ssl_ckch.c
View File

@ -1201,6 +1201,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
BIO *in = NULL;
X509 *ca = NULL;;
ERR_clear_error();
/* we try to load the files that would have
* been loaded in an hashed directory loaded by
* X509_LOOKUP_hash_dir, so according to "man 1
@ -1229,8 +1231,12 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL)
goto scandir_err;
if (X509_STORE_add_cert(store, ca) == 0)
goto scandir_err;
if (X509_STORE_add_cert(store, ca) == 0) {
/* only exits on error if the error is not about duplicate certificates */
if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
goto scandir_err;
}
}
X509_free(ca);
BIO_free(in);