lib-ssl-iostream: Correctly build certificate chains

Prevents sending extraneous certificates when using
alternative certs.

Reported by John Fawcett <john@voipsupport.it> and
Peter Linss <peter@linss.com>.

diff --git a/m4/ssl.m4 b/m4/ssl.m4
index e7d3db4ea2c9d9cec4cf4eaf637859b364ca51da..faf9cb1c4ef833ff33ef4d2a6d16708000556d9a 100644 (file)
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -133,6 +133,45 @@ AC_DEFUN([DOVECOT_SSL], [
         AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION,, [Define if you have SSL_CTX_set_min_proto_version])
       fi
 
+      # SSL_CTX_add0_chain_cert is also a macro so AC_CHECK_LIB fails here.
+      AC_CACHE_CHECK([whether SSL_CTX_add0_chain_cert exists],i_cv_have_ssl_ctx_add0_chain_cert,[
+        old_LIBS=$LIBS
+        LIBS="$LIBS -lssl"
+        AC_TRY_LINK([
+          #include <openssl/ssl.h>
+        ], [
+          SSL_CTX_add0_chain_cert((void*)0, 0);
+        ], [
+          i_cv_have_ssl_ctx_add0_chain_cert=yes
+        ], [
+          i_cv_have_ssl_ctx_add0_chain_cert=no
+        ])
+        LIBS=$old_LIBS
+      ])
+      if test $i_cv_have_ssl_ctx_add0_chain_cert = yes; then
+        AC_DEFINE(HAVE_SSL_CTX_ADD0_CHAIN_CERT,, [Define if you have SSL_CTX_add0_chain_cert])
+      fi
+
+      # SSL_CTX_set_current_cert is also a macro so AC_CHECK_LIB fails here.
+      AC_CACHE_CHECK([whether SSL_CTX_set_current_cert exists],i_cv_have_ssl_ctx_set_current_cert,[
+        old_LIBS=$LIBS
+        LIBS="$LIBS -lssl"
+        AC_TRY_LINK([
+          #include <openssl/ssl.h>
+        ], [
+          SSL_CTX_set_current_cert((void*)0, 0);
+        ], [
+          i_cv_have_ssl_ctx_set_current_cert=yes
+        ], [
+          i_cv_have_ssl_ctx_set_current_cert=no
+        ])
+        LIBS=$old_LIBS
+      ])
+      if test $i_cv_have_ssl_ctx_set_current_cert = yes; then
+        AC_DEFINE(HAVE_SSL_CTX_SET_CURRENT_CERT,, [Define if you have SSL_CTX_set_current_cert])
+      fi
+
+
       AC_CHECK_LIB(ssl, SSL_CIPHER_get_kx_nid, [
         AC_DEFINE(HAVE_SSL_CIPHER_get_kx_nid,, [Define if you have SSL_CIPHER_get_kx_nid])
       ],, $SSL_LIBS)

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 125d1125db64a442e16cd7f114c986878ee74241..6dbbe9676073f50f21a78ba5096b58725383fd4a 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -201,6 +201,9 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
                ret = 0;
 
        if (ret != 0) {
+#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+               SSL_CTX_select_current_cert(ctx, x);
+#endif
                /* If we could set up our certificate, now proceed to
                 * the CA certificates.
                 */
@@ -209,7 +212,11 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
                unsigned long err;
                
                while ((ca = PEM_read_bio_X509(in,NULL,NULL,NULL)) != NULL) {
+#ifdef HAVE_SSL_CTX_ADD0_CHAIN_CERT
+                       r = SSL_CTX_add0_chain_cert(ctx, ca);
+#else
                        r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+#endif
                        if (r == 0) {
                                X509_free(ca);
                                ret = 0;
@@ -227,6 +234,9 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
 end:
        if (x != NULL) X509_free(x);
        BIO_free(in);
+#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+       SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+#endif
        return ret;
 }