Bug 4659 - sslproxy_foreign_intermediate_certs does not work

The sslproxy_foreign_intermediate_certs directive does not work after r14769.
The bug is caused because of wrong use of X509_check_issued OpenSSL API call.

This is Measurement Factory project

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 12d0cc12bc583073c2b386dfa31b7e00d76609ba..c9e3b22674b3fe93addc6416e9d5394f1b9c9e89 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1116,7 +1116,7 @@ findCertIssuerFast(Ssl::CertsIndexedList &list, X509 *cert)
     const auto ret = list.equal_range(SBuf(buffer));
     for (Ssl::CertsIndexedList::iterator it = ret.first; it != ret.second; ++it) {
         X509 *issuer = it->second;
-        if (X509_check_issued(cert, issuer)) {
+        if (X509_check_issued(issuer, cert) == X509_V_OK) {
             return issuer;
         }
     }
@@ -1210,7 +1210,7 @@ completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) *untrustedCerts)
     X509 *current = X509_STORE_CTX_get0_cert(ctx);
     int i = 0;
     for (i = 0; current && (i < depth); ++i) {
-        if (X509_check_issued(current, current)) {
+        if (X509_check_issued(current, current) == X509_V_OK) {
             // either ctx->cert is itself self-signed or untrustedCerts
             // aready contain the self-signed current certificate
             break;