BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2

Commit 1c65fdd5 "MINOR: ssl: add extra chain compatibility" really implement
SSL_CTX_set0_chain. Since ckch can be used to init more than one ctx with
openssl < 1.0.2 (commit 89f58073 for X509_chain_up_ref compatibility),
SSL_CTX_set1_chain compatibility is required.

This patch must be backported to 2.1.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8512f05d0dbbb9e4a58218343a3a68ccbf7505c4..e36c03e631950772e5357bb8423fedf15a52dc97 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3552,11 +3552,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 #else
        { /* legacy compat (< openssl 1.0.2) */
                X509 *ca;
-               while ((ca = sk_X509_shift(ckch->chain)))
+               STACK_OF(X509) *chain;
+               chain = X509_chain_up_ref(ckch->chain);
+               while ((ca = sk_X509_shift(chain)))
                        if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
                                memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
                                          err && *err ? *err : "", path);
                                X509_free(ca);
+                               sk_X509_pop_free(chain, X509_free);
                                errcode |= ERR_ALERT | ERR_FATAL;
                                goto end;
                        }