From 9a1d839f618052b04fc4e40fd5244a54c5a5fbe0 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 10 Aug 2020 17:28:23 +0200
Subject: [PATCH] BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2

The previous fix for ssl-skip-self-issued-ca requires the use of
SSL_CTX_build_cert_chain() which is only available starting from OpenSSL
1.0.2
---
 doc/configuration.txt | 2 +-
 src/cfgparse-ssl.c    | 5 +++++
 src/ssl_sock.c        | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 98ec9393c..b6de695d1 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1426,7 +1426,7 @@ ssl-skip-self-issued-ca
   issuer for ocsp without the need for '.issuer' file and be able to share it
   with 'issuers-chain-path'. This concerns all certificates without intermediate
   certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
-  bits does not need it.
+  bits does not need it. Requires at least OpenSSL 1.0.2.
 
 stats socket [<address:port>|<path>] [param*]
   Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 060be5ab4..d22ae96fb 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1698,8 +1698,13 @@ static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct p
 					 struct proxy *defpx, const char *file, int line,
 					 char **err)
 {
+#ifdef SSL_CTX_build_cert_chain
 	global_ssl.skip_self_issued_ca = 1;
 	return 0;
+#else
+	memprintf(err, "global statement '%s' requires at least OpenSSL 1.0.2.", args[0]);
+	return -1;
+#endif
 }
 
 
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0f4eabb34..f8001c592 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3011,6 +3011,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
+#ifdef SSL_CTX_build_cert_chain
 	/* remove the Root CA from the SSL_CTX if the option is activated */
 	if (global_ssl.skip_self_issued_ca) {
 		if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
@@ -3020,6 +3021,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 			goto end;
 		}
 	}
+#endif
 
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded