mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-26 14:10:59 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file

Browse Source 
The httpclient is configured with @system-ca by default, which uses the
directory returned by X509_get_default_cert_dir().

On debian/ubuntu systems, this directory contains multiple certificate
files that are loaded successfully. However it seems that on other
systems the files in this directory is the direct result of
ca-certificates instead of its source. Meaning that you would only have
a bundle file with every certificates in it.

The loading was not done correctly in case of directory loading, and was
only loading the first certificate of each file.

This patch fixes the issue by using X509_STORE_load_locations() on each
file from the scandir instead of trying to load it manually with BIO.

Not that we can't use X509_STORE_load_locations with the `dir` argument,
which would be simpler, because it uses X509_LOOKUP_hash_dir() which
requires a directory in hash form. That wouldn't be suited for this use
case.

Must be backported in every stable branches.

Fix issue #3137.
This commit is contained in:
William Lallemand 2025-09-26 09:22:55 +02:00
parent 230a072102
commit c52d69cc78
1 changed files with 1 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/ssl_ckch.c
View File

@ -1526,8 +1526,6 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
for (i= 0; i < n; i++) {
char *end;
struct dirent *de = de_list[i];
BIO *in = NULL;
X509 *ca = NULL;;
ERR_clear_error();
@ -1547,34 +1545,16 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
free(de);
continue;
}
in = BIO_new(BIO_s_file());
if (in == NULL)
goto scandir_err;
chunk_printf(&trash, "%s/%s", dir, de->d_name);
if (BIO_read_filename(in, trash.area) == 0)
if (!X509_STORE_load_locations(store, trash.area, NULL))
goto scandir_err;
if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL)
goto scandir_err;
if (X509_STORE_add_cert(store, ca) == 0) {
/* only exits on error if the error is not about duplicate certificates */
if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
goto scandir_err;
}
}
X509_free(ca);
BIO_free(in);
free(de);
continue;
scandir_err:
e = ERR_get_error();
X509_free(ca);
BIO_free(in);
free(de);
/* warn if it can load one of the files, but don't abort */
if (!shuterror)