From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 10 Aug 2020 14:18:45 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option
X-Git-Tag: v2.3-dev3~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf298afe2d7eb2c698640bd8d4212d6be6f79782;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option

In commit f187ce6, the ssl-skip-self-issued-ca option was accidentally
made useless by reverting the SSL_CTX reworking.

The previous attempt of making this feature was putting each certificate
of the chain in the SSL_CTX with SSL_CTX_add_extra_chain_cert() and was
skipping the Root CA.
The problem here is that doing it this way instead of doing a
SSL_CTX_set1_chain() break the support of the multi-certificate bundles.

The SSL_CTX_build_cert_chain() function allows one to remove the Root CA
with the SSL_BUILD_CHAIN_FLAG_NO_ROOT flag. Use it instead of doing
tricks with the CA.

Should fix issue #804.

Must be backported in 2.2.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 48f2da99e5..0f4eabb34b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3011,6 +3011,16 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
+	/* remove the Root CA from the SSL_CTX if the option is activated */
+	if (global_ssl.skip_self_issued_ca) {
+		if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
+			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+				  err && *err ? *err : "", path);
+			errcode |= ERR_ALERT | ERR_FATAL;
+			goto end;
+		}
+	}
+
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded
 	   a custom DH param file */