From: Emmanuel Hocdet Date: Wed, 22 Jan 2020 16:02:53 +0000 (+0100) Subject: BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" X-Git-Tag: v2.2-dev2~96 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=078156d06399282ae467a9d1a450a42238870028;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" ocsp_issuer is primary set from ckch->chain when PEM is loaded from file, but not set when PEM is loaded via CLI payload. Set ckch->ocsp_issuer in ssl_sock_load_pem_into_ckch to fix that. Should be backported in 2.1. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index afcceae66e..8ee164f55f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3274,6 +3274,7 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ { BIO *in = NULL; int ret = 1; + int i; X509 *ca; X509 *cert = NULL; EVP_PKEY *key = NULL; @@ -3387,6 +3388,15 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_ SWAP(ckch->cert, cert); SWAP(ckch->chain, chain); + /* check if one of the certificate of the chain is the issuer */ + for (i = 0; i < sk_X509_num(ckch->chain); i++) { + X509 *issuer = sk_X509_value(ckch->chain, i); + if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { + ckch->ocsp_issuer = issuer; + X509_up_ref(issuer); + break; + } + } ret = 0; end: @@ -3464,22 +3474,8 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */ if (ckch->ocsp_response) { - X509 *issuer; - int i; - - /* check if one of the certificate of the chain is the issuer */ - for (i = 0; i < sk_X509_num(ckch->chain); i++) { - issuer = sk_X509_value(ckch->chain, i); - if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) { - ckch->ocsp_issuer = issuer; - X509_up_ref(ckch->ocsp_issuer); - break; - } else - issuer = NULL; - } - /* if no issuer was found, try to load an issuer from the .issuer */ - if (!issuer) { + if (!ckch->ocsp_issuer) { struct stat st; char fp[MAXPATHLEN+1];