BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file

The httpclient is configured with @system-ca by default, which uses the
directory returned by X509_get_default_cert_dir().

On debian/ubuntu systems, this directory contains multiple certificate
files that are loaded successfully. However it seems that on other
systems the files in this directory is the direct result of
ca-certificates instead of its source. Meaning that you would only have
a bundle file with every certificates in it.

The loading was not done correctly in case of directory loading, and was
only loading the first certificate of each file.

This patch fixes the issue by using X509_STORE_load_locations() on each
file from the scandir instead of trying to load it manually with BIO.

Not that we can't use X509_STORE_load_locations with the `dir` argument,
which would be simpler, because it uses X509_LOOKUP_hash_dir() which
requires a directory in hash form. That wouldn't be suited for this use
case.

Must be backported in every stable branches.

Fix issue #3137.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b1c4c547a989ce3fd9ceda37f809e919b2933ad4..72241297cbc7925fc946bc41714fecb4d6a21ed8 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1526,8 +1526,6 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
                        for (i= 0; i < n; i++) {
                                char *end;
                                struct dirent *de = de_list[i];
-                               BIO *in = NULL;
-                               X509 *ca = NULL;;
 
                                ERR_clear_error();
 
@@ -1547,34 +1545,16 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
                                        free(de);
                                        continue;
                                }
-                               in = BIO_new(BIO_s_file());
-                               if (in == NULL)
-                                       goto scandir_err;
 
                                chunk_printf(&trash, "%s/%s", dir, de->d_name);
-
-                               if (BIO_read_filename(in, trash.area) == 0)
-                                       goto scandir_err;
-
-                               if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL)
+                               if (!X509_STORE_load_locations(store, trash.area, NULL))
                                        goto scandir_err;
 
-                               if (X509_STORE_add_cert(store, ca) == 0) {
-                                       /* only exits on error if the error is not about duplicate certificates */
-                                        if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) {
-                                                goto scandir_err;
-                                        }
-                               }
-
-                               X509_free(ca);
-                               BIO_free(in);
                                free(de);
                                continue;
 
 scandir_err:
                                e = ERR_get_error();
-                               X509_free(ca);
-                               BIO_free(in);
                                free(de);
                                /* warn if it can load one of the files, but don't abort */
                                if (!shuterror)