BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option

In commit f187ce6, the ssl-skip-self-issued-ca option was accidentally
made useless by reverting the SSL_CTX reworking.

The previous attempt of making this feature was putting each certificate
of the chain in the SSL_CTX with SSL_CTX_add_extra_chain_cert() and was
skipping the Root CA.
The problem here is that doing it this way instead of doing a
SSL_CTX_set1_chain() break the support of the multi-certificate bundles.

The SSL_CTX_build_cert_chain() function allows one to remove the Root CA
with the SSL_BUILD_CHAIN_FLAG_NO_ROOT flag. Use it instead of doing
tricks with the CA.

Should fix issue #804.

Must be backported in 2.2.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 48f2da99e519f4993cb71f833543a56a00e6b3f3..0f4eabb34b34605e1dd72b2f5b90c4f1855644b4 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3011,6 +3011,16 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
        }
 #endif
 
+       /* remove the Root CA from the SSL_CTX if the option is activated */
+       if (global_ssl.skip_self_issued_ca) {
+               if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
+                       memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+                                 err && *err ? *err : "", path);
+                       errcode |= ERR_ALERT | ERR_FATAL;
+                       goto end;
+               }
+       }
+
 #ifndef OPENSSL_NO_DH
        /* store a NULL pointer to indicate we have not yet loaded
           a custom DH param file */