From: Christos Tsantilas Date: Fri, 23 Jan 2015 09:27:47 +0000 (+0200) Subject: Add missing root CAs when validating chains that passed internal checks. X-Git-Tag: merge-candidate-3-v1~321 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=081be7ebf85eae6a1c0f1d44a878096d2c5d6cd8;p=thirdparty%2Fsquid.git Add missing root CAs when validating chains that passed internal checks. When internal checks found no certificate errors, Squid does not include root CA certificate in certificates chain sent to the certificate validator. Squid just sent the certificates chain sent by the SSL server. This patch stores the full certificates list built by OpenSSL while validating the SSL server certificates chain, even if no certificate error found and sends this list to certificate validator. This is a Measurement Factory project --- diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 3dae5b006a..34043ad39a 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -313,16 +313,19 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) // pass them to certficate validator for more processing else if (Ssl::TheConfig.ssl_crt_validator) { ok = 1; - // Check if we have stored certificates chain. Store if not. - if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { - STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); - if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) - sk_X509_pop_free(certStack, X509_free); - } } } } + if (Ssl::TheConfig.ssl_crt_validator) { + // Check if we have stored certificates chain. Store if not. + if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { + STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); + if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) + sk_X509_pop_free(certStack, X509_free); + } + } + if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { // Find the broken certificate. It may be intermediate.