Bug 3849: Duplicate certificate sent when using https_port

The certificate file given with the "cert=" option it may contain a list of
certificates to be chained to the SSL client, for example intermediate
certificates.
The bug caused because in the certificates  chain we are storing also the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA certificate.
But in the case of https_port without bumping the port certificate is sent
twice, one as SSL server certificate and one as chained certificate.

This patch try to chain port certificate only when the sslbump is used.

This is a Measurement Factory project

diff --git a/src/client_side.cc b/src/client_side.cc
index a731d38ec3026c0d3f438179b1ca7071231756e6..1f402207b76a6552848d8e1861bd373cfe7a39f6 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3938,8 +3938,18 @@ ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew)
     // Try to add generated ssl context to storage.
     if (port->generateHostCertificates && isNew) {
 
-        if (signAlgorithm == Ssl::algSignTrusted)
+        if (signAlgorithm == Ssl::algSignTrusted) {
+            // Add signing certificate to the certificates chain
+            X509 *cert = port->signingCert.get();
+            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+                // increase the certificate lock
+                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            } else {
+                const int ssl_error = ERR_get_error();
+                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+            }
             Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
+        }
         //else it is self-signed or untrusted do not attrach any certificate
 
         Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index df039571c3dc8224a0bd1ab47d3dd84498c0f62d..e0123f6f667b4270385e307664285436ecc2330e 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1584,11 +1584,7 @@ static X509 * readSslX509CertificatesChain(char const * certFilename,  STACK_OF(
         if (X509_check_issued(certificate, certificate) == X509_V_OK)
             debugs(83, 5, "Certificate is self-signed, will not be chained");
         else {
-            if (sk_X509_push(chain, certificate))
-                CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
-            else
-                debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
-            // and add to the chain any certificate loaded from the file
+            // and add to the chain any other certificate exist in the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");