BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option

In commit f187ce6, the ssl-skip-self-issued-ca option was accidentally made useless by reverting the SSL_CTX reworking. The previous attempt of making this feature was putting each certificate of the chain in the SSL_CTX with SSL_CTX_add_extra_chain_cert() and was skipping the Root CA. The problem here is that doing it this way instead of doing a SSL_CTX_set1_chain() break the support of the multi-certificate bundles. The SSL_CTX_build_cert_chain() function allows one to remove the Root CA with the SSL_BUILD_CHAIN_FLAG_NO_ROOT flag. Use it instead of doing tricks with the CA. Should fix issue #804. Must be backported in 2.2.
2026-05-01 19:20:59 +02:00 · 2020-08-10 16:18:45 +02:00 · 2020-08-10 16:18:45 +02:00 · bf298afe2d
commit bf298afe2d
parent 477757c66b
1 changed files with 10 additions and 0 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -3011,6 +3011,16 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif

+	/* remove the Root CA from the SSL_CTX if the option is activated */
+	if (global_ssl.skip_self_issued_ca) {
+		if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
+			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+				  err && *err ? *err : "", path);
+			errcode |= ERR_ALERT | ERR_FATAL;
+			goto end;
+		}
+	}
+
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded
 	   a custom DH param file */