From: Christos Tsantilas Date: Sun, 8 Sep 2013 10:48:51 +0000 (+0300) Subject: Bug 3849: Duplicate certificate sent when using https_port X-Git-Tag: SQUID_3_5_0_1~644 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a411d2130af47ffdd988f88affde10e30ab71368;p=thirdparty%2Fsquid.git Bug 3849: Duplicate certificate sent when using https_port The certificate file given with the "cert=" option it may contain a list of certificates to be chained to the SSL client, for example intermediate certificates. The bug caused because in the certificates chain we are storing also the certificate of the port. This is works well for SSL-bump because squid generates a certificate which uses the port certificate as CA certificate. But in the case of https_port without bumping the port certificate is sent twice, one as SSL server certificate and one as chained certificate. This patch try to chain port certificate only when the sslbump is used. This is a Measurement Factory project --- diff --git a/src/client_side.cc b/src/client_side.cc index a731d38ec3..1f402207b7 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3938,8 +3938,18 @@ ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew) // Try to add generated ssl context to storage. if (port->generateHostCertificates && isNew) { - if (signAlgorithm == Ssl::algSignTrusted) + if (signAlgorithm == Ssl::algSignTrusted) { + // Add signing certificate to the certificates chain + X509 *cert = port->signingCert.get(); + if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { + // increase the certificate lock + CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); + } else { + const int ssl_error = ERR_get_error(); + debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); + } Ssl::addChainToSslContext(sslContext, port->certsToChain.get()); + } //else it is self-signed or untrusted do not attrach any certificate Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s)); diff --git a/src/ssl/support.cc b/src/ssl/support.cc index df039571c3..e0123f6f66 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1584,11 +1584,7 @@ static X509 * readSslX509CertificatesChain(char const * certFilename, STACK_OF( if (X509_check_issued(certificate, certificate) == X509_V_OK) debugs(83, 5, "Certificate is self-signed, will not be chained"); else { - if (sk_X509_push(chain, certificate)) - CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509); - else - debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain"); - // and add to the chain any certificate loaded from the file + // and add to the chain any other certificate exist in the file while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) { if (!sk_X509_push(chain, ca)) debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");