Bug fix: Current serial number generation code does not produce a stable serial numbe...

Squid always send the signing certificate to the ssl_crtd daemon even for
self-signed certificates because the signing certificate may used for cert
adaptation algorithms. The ssl_crtd currently ignore the signing certificate
in the case of self-signed certificates. This is has as result to
use a random number as serial number of generated certificate.

This patch also use 0 as serial number of the temporary intermediate certificate
used to generate the final serial number of the certificate, in the case of
signing certificate is not given.

diff --git a/src/ssl/crtd_message.cc b/src/ssl/crtd_message.cc
index 47ed6ed09a09b7d4aada838c25863216858d7544..6abe65d58252bd6b7b35f5e931dbe059a69483cc 100644 (file)
--- a/src/ssl/crtd_message.cc
+++ b/src/ssl/crtd_message.cc
@@ -213,8 +213,7 @@ bool Ssl::CrtdMessage::parseRequest(Ssl::CertificateProperties &certProperties,
     else
         certProperties.signAlgorithm = Ssl::algSignTrusted;
 
-    if (certProperties.signAlgorithm != Ssl::algSignSelf && 
-        !Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {
+    if (!Ssl::readCertAndPrivateKeyFromMemory(certProperties.signWithX509, certProperties.signWithPkey, certs_part.c_str())) {
         error = "Broken signing certificate!";
         return false;
     }

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 9fe9842adc34e38008cdf093ce95699538c6c7cc..5c0a62ea1abd241a982bdecd52aa495338c6570d 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -401,6 +401,10 @@ static bool createSerial(Ssl::BIGNUM_Pointer &serial, Ssl::CertificateProperties
     Ssl::X509_Pointer fakeCert;
 
     serial.reset(x509Pubkeydigest(properties.signWithX509));
+    if (!serial.get()) {
+        serial.reset(BN_new());
+        BN_is_zero(serial.get());
+    }
 
     if (!generateFakeSslCertificate(fakeCert, fakePkey, properties, serial))
         return false;