Bug 3849: Duplicate certificate sent when using https_port

The certificate file given with the "cert=" option it may contain a list
of
certificates to be chained to the SSL client, for example intermediate
certificates.

The bug caused because in the certificates  chain we are storing also
the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA
certificate.
But in the case of https_port without bumping the port certificate is
sent
twice, one as SSL server certificate and one as chained certificate.

This patch try to chain port certificate only when the sslbump is used.

This is a Measurement Factory project

diff --git a/src/client_side.cc b/src/client_side.cc
index b7227e3d597d82f63b3e2894ea171955dcb7a55e..d7038b2a774d45eb1af6fddf20b115b33c1ea1ac 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3853,8 +3853,18 @@ ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew)
     // Try to add generated ssl context to storage.
     if (port->generateHostCertificates && isNew) {
 
-        if (signAlgorithm == Ssl::algSignTrusted)
+        if (signAlgorithm == Ssl::algSignTrusted) {
+            // Add signing certificate to the certificates chain
+            X509 *cert = port->signingCert.get();
+            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+                // increase the certificate lock
+                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            } else {
+                const int ssl_error = ERR_get_error();
+                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+            }
             Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
+        }
         //else it is self-signed or untrusted do not attrach any certificate
 
         Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index dda2a3ab11b32e87487adde79857c552d572b320..5372f512cf5e3a7beef1e29e6153b8a8ff9749d7 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1531,11 +1531,7 @@ static X509 * readSslX509CertificatesChain(char const * certFilename,  STACK_OF(
         if (X509_check_issued(certificate, certificate) == X509_V_OK)
             debugs(83, 5, "Certificate is self-signed, will not be chained");
         else {
-            if (sk_X509_push(chain, certificate))
-                CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
-            else
-                debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
-            // and add to the chain any certificate loaded from the file
+            // and add to the chain any other certificate exist in the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");