From: William Lallemand Date: Mon, 18 Jul 2022 16:42:52 +0000 (+0200) Subject: BUG/MINOR: ssl: allow duplicate certificates in ca-file directories X-Git-Tag: v2.7-dev3~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4348232231f8ac652c166c5cf49e5024fac40751;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: allow duplicate certificates in ca-file directories It looks like OpenSSL 1.0.2 returns an error when trying to insert a certificate whis is already present in a X509_STORE. This patch simply ignores the X509_R_CERT_ALREADY_IN_HASH_TABLE error if emitted. Should fix part of issue #1780. Must be backported in 2.6. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 0f430a469d..b0bd7bd39d 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1201,6 +1201,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty BIO *in = NULL; X509 *ca = NULL;; + ERR_clear_error(); + /* we try to load the files that would have * been loaded in an hashed directory loaded by * X509_LOOKUP_hash_dir, so according to "man 1 @@ -1229,8 +1231,12 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL) goto scandir_err; - if (X509_STORE_add_cert(store, ca) == 0) - goto scandir_err; + if (X509_STORE_add_cert(store, ca) == 0) { + /* only exits on error if the error is not about duplicate certificates */ + if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) { + goto scandir_err; + } + } X509_free(ca); BIO_free(in);