From: William Lallemand Date: Wed, 12 Aug 2020 18:02:10 +0000 (+0200) Subject: BUG/MEDIUM: ssl: never generates the chain from the verify store X-Git-Tag: v2.3-dev3~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=935d8294d5a4671ec01256b4129b5bc3ce5ab00e;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: never generates the chain from the verify store In bug #781 it was reported that HAProxy completes the certificate chain using the verify store in the case there is no chain. Indeed, according to OpenSSL documentation, when generating the chain, OpenSSL use the chain store OR the verify store in the case there is no chain store. As a workaround, this patch always put a NULL chain in the SSL_CTX so OpenSSL does not tries to complete it. This must be backported in all branches, the code could be different, the important part is to ALWAYS set a chain, and uses sk_X509_new_null() if the chain is NULL. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f8001c5926..bb28f18158 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2985,15 +2985,20 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an find_chain = issuer->chain; } + if (!find_chain) { + /* always put a null chain stack in the SSL_CTX so it does not + * try to build the chain from the verify store */ + find_chain = sk_X509_new_null(); + } + /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ - if (find_chain) #ifdef SSL_CTX_set1_chain - if (!SSL_CTX_set1_chain(ctx, find_chain)) { - memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", - err && *err ? *err : "", path); - errcode |= ERR_ALERT | ERR_FATAL; - goto end; - } + if (!SSL_CTX_set1_chain(ctx, find_chain)) { + memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", + err && *err ? *err : "", path); + errcode |= ERR_ALERT | ERR_FATAL; + goto end; + } #else { /* legacy compat (< openssl 1.0.2) */ X509 *ca;