mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

Revert "MINOR: ssl: rework add cert chain to CTX to be libssl independent"

Browse Source 
This reverts commit 4fed93eb72.

This commit was simplifying the certificate chain loading with
SSL_CTX_add_extra_chain_cert() which is available in all SSL libraries.
Unfortunately this function is not compatible with the
multi-certificates bundles, which have the effect of concatenating the
chains of all certificate types instead of creating a chain for each
type (RSA, ECDSA etc.)

Should fix issue #655.
This commit is contained in:
William Lallemand 2020-06-02 18:27:20 +02:00 committed by William Lallemand
parent 39bd740d00
commit f187ce68b1
1 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/ssl_sock.c
View File

@ -2917,29 +2917,31 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
find_chain = issuer->chain; find_chain = issuer->chain;
} }
/* Load all certs from chain, except Root, in the ssl_ctx */ /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
if (find_chain) { if (find_chain)
int i; #ifdef SSL_CTX_set1_chain
X509 *ca; if (!SSL_CTX_set1_chain(ctx, find_chain)) {
for (i = 0; i < sk_X509_num(find_chain); i++) { memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
ca = sk_X509_value(find_chain, i);
/* skip self issued (Root CA) */
if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
continue;
/*
SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)
*/
X509_up_ref(ca);
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
X509_free(ca);
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path); err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
#else
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;
STACK_OF(X509) *chain;
chain = X509_chain_up_ref(find_chain);
while ((ca = sk_X509_shift(chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
X509_free(ca);
sk_X509_pop_free(chain, X509_free);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
} }
#endif
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
/* store a NULL pointer to indicate we have not yet loaded /* store a NULL pointer to indicate we have not yet loaded