From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Sat, 29 Apr 2017 16:19:15 +0000 (+0300)
Subject: Bug 4659 - sslproxy_foreign_intermediate_certs does not work
X-Git-Tag: M-staged-PR71~189
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f77446915deeb713d07142bee49a2a37f97b162;p=thirdparty%2Fsquid.git

Bug 4659 - sslproxy_foreign_intermediate_certs does not work

The sslproxy_foreign_intermediate_certs directive does not work after r14769.
The bug is caused because of wrong use of X509_check_issued OpenSSL API call.

This is Measurement Factory project
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 12d0cc12bc..c9e3b22674 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1116,7 +1116,7 @@ findCertIssuerFast(Ssl::CertsIndexedList &list, X509 *cert)
     const auto ret = list.equal_range(SBuf(buffer));
     for (Ssl::CertsIndexedList::iterator it = ret.first; it != ret.second; ++it) {
         X509 *issuer = it->second;
-        if (X509_check_issued(cert, issuer)) {
+        if (X509_check_issued(issuer, cert) == X509_V_OK) {
             return issuer;
         }
     }
@@ -1210,7 +1210,7 @@ completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) *untrustedCerts)
     X509 *current = X509_STORE_CTX_get0_cert(ctx);
     int i = 0;
     for (i = 0; current && (i < depth); ++i) {
-        if (X509_check_issued(current, current)) {
+        if (X509_check_issued(current, current) == X509_V_OK) {
             // either ctx->cert is itself self-signed or untrustedCerts
             // aready contain the self-signed current certificate
             break;