BUILD/MINOR: ssl: Fix compilation with OpenSSL 1.0.2

The X509_STORE_CTX_get0_cert did not exist yet on OpenSSL 1.0.2 and
neither did X509_STORE_CTX_get0_chain, which was not actually needed
since its get1 equivalent already existed.

include/haproxy/openssl-compat.h

@@ -291,6 +291,11 @@ static inline const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOK
 {
     return x->revocationDate;
 }
+
+static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+    return ctx->cert;
+}
 #endif
 
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL)

src/ssl_sock.c

@@ -1592,14 +1592,12 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
 		 * chain, we might never call this verify callback on the client
 		 * certificate's depth (which is 0) so we try to store the
 		 * reference right now. */
-		if (X509_STORE_CTX_get0_chain(x_store) != NULL) {
+		certs = X509_STORE_CTX_get1_chain(x_store);
-			certs = X509_STORE_CTX_get1_chain(x_store);
+		if (certs) {
-			if (certs) {
+			client_crt = sk_X509_value(certs, 0);
-				client_crt = sk_X509_value(certs, 0);
+			if (client_crt) {
-				if (client_crt) {
+				X509_up_ref(client_crt);
-					X509_up_ref(client_crt);
+				SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
-					SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
-				}
 			}
 			sk_X509_pop_free(certs, X509_free);
 		}