From: William Lallemand Date: Fri, 26 Sep 2025 07:22:55 +0000 (+0200) Subject: BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file X-Git-Tag: v3.3-dev9~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c52d69cc785c039c0b665a229350fff11cfeda13;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file The httpclient is configured with @system-ca by default, which uses the directory returned by X509_get_default_cert_dir(). On debian/ubuntu systems, this directory contains multiple certificate files that are loaded successfully. However it seems that on other systems the files in this directory is the direct result of ca-certificates instead of its source. Meaning that you would only have a bundle file with every certificates in it. The loading was not done correctly in case of directory loading, and was only loading the first certificate of each file. This patch fixes the issue by using X509_STORE_load_locations() on each file from the scandir instead of trying to load it manually with BIO. Not that we can't use X509_STORE_load_locations with the `dir` argument, which would be simpler, because it uses X509_LOOKUP_hash_dir() which requires a directory in hash form. That wouldn't be suited for this use case. Must be backported in every stable branches. Fix issue #3137. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b1c4c547a..72241297c 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1526,8 +1526,6 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ for (i= 0; i < n; i++) { char *end; struct dirent *de = de_list[i]; - BIO *in = NULL; - X509 *ca = NULL;; ERR_clear_error(); @@ -1547,34 +1545,16 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ free(de); continue; } - in = BIO_new(BIO_s_file()); - if (in == NULL) - goto scandir_err; chunk_printf(&trash, "%s/%s", dir, de->d_name); - - if (BIO_read_filename(in, trash.area) == 0) - goto scandir_err; - - if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL) + if (!X509_STORE_load_locations(store, trash.area, NULL)) goto scandir_err; - if (X509_STORE_add_cert(store, ca) == 0) { - /* only exits on error if the error is not about duplicate certificates */ - if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) { - goto scandir_err; - } - } - - X509_free(ca); - BIO_free(in); free(de); continue; scandir_err: e = ERR_get_error(); - X509_free(ca); - BIO_free(in); free(de); /* warn if it can load one of the files, but don't abort */ if (!shuterror)