Add missing root CAs when validating chains that passed internal checks.

When internal checks found no certificate errors, Squid does not include root
CA certificate in certificates chain sent to the certificate validator. Squid
just sent the certificates chain sent by the SSL server.

This patch stores the full certificates list built by OpenSSL while validating
the SSL server certificates chain, even if no certificate error found and sends
this list to certificate validator.

This is a Measurement Factory project

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 3dae5b006a85c597289aa4dc650ec815d57ae828..34043ad39a3e317dc033dbdded6284c47d483eb0 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -313,16 +313,19 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
             // pass them to certficate validator for more processing
             else if (Ssl::TheConfig.ssl_crt_validator) {
                 ok = 1;
-                // Check if we have stored certificates chain. Store if not.
-                if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) {
-                    STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx);
-                    if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack))
-                        sk_X509_pop_free(certStack, X509_free);
-                }
             }
         }
     }
 
+    if (Ssl::TheConfig.ssl_crt_validator) {
+        // Check if we have stored certificates chain. Store if not.
+        if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) {
+            STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx);
+            if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack))
+                sk_X509_pop_free(certStack, X509_free);
+        }
+    }
+
     if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) {
 
         // Find the broken certificate. It may be intermediate.