git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <yadij@users.noreply.github.com>
	Tue, 5 Jun 2018 06:11:29 +0000 (06:11 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Tue, 5 Jun 2018 13:26:32 +0000 (13:26 +0000)
commit	540e2966f157d58e3f8a9de99393817cdddef569
tree	1162c04d5ddc58bf6975ca67e3e840e37a8df4e5	tree
parent	80d0fe086af2f9493d4fee384ad5ab070b75357a	commit \| diff

Bug 4831: filter chain certificates for validity when loading (#187)

51e09c08a5e6c582e7d93af99a8f2cfcb14ea9e6 adding
GnuTLS support required splitting the way
certificate chains were loaded. This resulted in the
leaf certificate being added twice at the prefix of a
chain in the serverHello.

It turns out that some recipients validate strictly that the
chain delivered by a serverHello does not contain extra
certificates and reject the handshake if they do.

This patch implements the XXX about filtering certificates
for chain sequence order and self-sign properties, added
in the initial PR. Resolving the bug 4831 regression and also
reporting failures at startup/reconfigure for admins.

Also, add debug display of certificate names for simpler
detection and administrative fix when loaded files fail
these tests.