BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert"

ocsp_issuer is primary set from ckch->chain when PEM is loaded from file,
but not set when PEM is loaded via CLI payload. Set ckch->ocsp_issuer in
ssl_sock_load_pem_into_ckch to fix that.

Should be backported in 2.1.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index afcceae66e818a6423cc8e72797eeffb8ecc4617..8ee164f55fd725e9759e6d3854dde8a4674cd24f 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3274,6 +3274,7 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
 {
        BIO *in = NULL;
        int ret = 1;
+       int i;
        X509 *ca;
        X509 *cert = NULL;
        EVP_PKEY *key = NULL;
@@ -3387,6 +3388,15 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
        SWAP(ckch->cert, cert);
        SWAP(ckch->chain, chain);
 
+       /* check if one of the certificate of the chain is the issuer */
+       for (i = 0; i < sk_X509_num(ckch->chain); i++) {
+               X509 *issuer = sk_X509_value(ckch->chain, i);
+               if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
+                       ckch->ocsp_issuer = issuer;
+                       X509_up_ref(issuer);
+                       break;
+               }
+       }
        ret = 0;
 
 end:
@@ -3464,22 +3474,8 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c
 
 #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
        if (ckch->ocsp_response) {
-               X509 *issuer;
-               int i;
-
-               /* check if one of the certificate of the chain is the issuer */
-               for (i = 0; i < sk_X509_num(ckch->chain); i++) {
-                       issuer = sk_X509_value(ckch->chain, i);
-                       if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
-                               ckch->ocsp_issuer = issuer;
-                               X509_up_ref(ckch->ocsp_issuer);
-                               break;
-                       } else
-                               issuer = NULL;
-               }
-
                /* if no issuer was found, try to load an issuer from the .issuer */
-               if (!issuer) {
+               if (!ckch->ocsp_issuer) {
                        struct stat st;
                        char fp[MAXPATHLEN+1];