mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: never generates the chain from the verify store

Browse Source 
In bug #781 it was reported that HAProxy completes the certificate chain
using the verify store in the case there is no chain.

Indeed, according to OpenSSL documentation, when generating the chain,
OpenSSL use the chain store OR the verify store in the case there is no
chain store.

As a workaround, this patch always put a NULL chain in the SSL_CTX so
OpenSSL does not tries to complete it.

This must be backported in all branches, the code could be different,
the important part is to ALWAYS set a chain, and uses sk_X509_new_null()
if the chain is NULL.
This commit is contained in:
William Lallemand 2020-08-12 20:02:10 +02:00 committed by William Lallemand
parent a6d9879e69
commit 935d8294d5
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_sock.c
View File

@ -2985,8 +2985,13 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
find_chain = issuer->chain; find_chain = issuer->chain;
} }
if (!find_chain) {
/* always put a null chain stack in the SSL_CTX so it does not
* try to build the chain from the verify store */
find_chain = sk_X509_new_null();
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
if (find_chain)
#ifdef SSL_CTX_set1_chain #ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, find_chain)) { if (!SSL_CTX_set1_chain(ctx, find_chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",