MEDIUM: ocsp: fix ocsp when the chain is loaded from 'issuers-chain-path'

This fixes OCSP, when issuer chain is in a separate PEM file. This is a
case of issuers-chain-path keyword, which points to folder that contains only
PEM with RootCA and IntermediateCA.

Before this patch, the chain from 'issuers-chain-path' was applied
directly to the SSL_CTX without being applied to the data->chain
structure. This would work for SSL traffic, but every tests done with
data->chain would fail, OCSP included, because the chain would be NULL.

This patch moves the loading of the chain from
ssl_sock_load_cert_chain(), which is the function that applies the chain
to the SSL_CTX, to ssl_sock_load_pem_into_ckch() which is the function
that loads the files into the ckch_data structure.

Fixes issue #2635 but it changes thing on the CLI, so that's not
backportable.

src/ssl_ckch.c

@@ -647,6 +647,15 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d
 		}
 	}
 
+	/* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */
+	if (chain == NULL) {
+		struct issuer_chain *issuer_chain;
+		issuer_chain = ssl_get0_issuer_chain(cert);
+		if (issuer_chain) {
+			chain = X509_chain_up_ref(issuer_chain->chain);
+		}
+	}
+
 	ret = ERR_get_error();
 	if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
 		memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",

src/ssl_sock.c

@@ -2613,12 +2613,6 @@ static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *da
 
 	if (data->chain) {
 		*find_chain = X509_chain_up_ref(data->chain);
-	} else {
-		/* Find Certificate Chain in global */
-		struct issuer_chain *issuer;
-		issuer = ssl_get0_issuer_chain(data->cert);
-		if (issuer)
-			*find_chain = X509_chain_up_ref(issuer->chain);
 	}
 
 	if (!*find_chain) {