From 935d8294d5a4671ec01256b4129b5bc3ce5ab00e Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 12 Aug 2020 20:02:10 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: never generates the chain from the verify store In bug #781 it was reported that HAProxy completes the certificate chain using the verify store in the case there is no chain. Indeed, according to OpenSSL documentation, when generating the chain, OpenSSL use the chain store OR the verify store in the case there is no chain store. As a workaround, this patch always put a NULL chain in the SSL_CTX so OpenSSL does not tries to complete it. This must be backported in all branches, the code could be different, the important part is to ALWAYS set a chain, and uses sk_X509_new_null() if the chain is NULL. --- src/ssl_sock.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f8001c592..bb28f1815 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2985,15 +2985,20 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an find_chain = issuer->chain; } + if (!find_chain) { + /* always put a null chain stack in the SSL_CTX so it does not + * try to build the chain from the verify store */ + find_chain = sk_X509_new_null(); + } + /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ - if (find_chain) #ifdef SSL_CTX_set1_chain - if (!SSL_CTX_set1_chain(ctx, find_chain)) { - memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", - err && *err ? *err : "", path); - errcode |= ERR_ALERT | ERR_FATAL; - goto end; - } + if (!SSL_CTX_set1_chain(ctx, find_chain)) { + memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", + err && *err ? *err : "", path); + errcode |= ERR_ALERT | ERR_FATAL; + goto end; + } #else { /* legacy compat (< openssl 1.0.2) */ X509 *ca;