The previous fix for ssl-skip-self-issued-ca requires the use of
SSL_CTX_build_cert_chain() which is only available starting from OpenSSL
1.0.2
issuer for ocsp without the need for '.issuer' file and be able to share it
with 'issuers-chain-path'. This concerns all certificates without intermediate
certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
- bits does not need it.
+ bits does not need it. Requires at least OpenSSL 1.0.2.
stats socket [<address:port>|<path>] [param*]
Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
struct proxy *defpx, const char *file, int line,
char **err)
{
+#ifdef SSL_CTX_build_cert_chain
global_ssl.skip_self_issued_ca = 1;
return 0;
+#else
+ memprintf(err, "global statement '%s' requires at least OpenSSL 1.0.2.", args[0]);
+ return -1;
+#endif
}
}
#endif
+#ifdef SSL_CTX_build_cert_chain
/* remove the Root CA from the SSL_CTX if the option is activated */
if (global_ssl.skip_self_issued_ca) {
if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
goto end;
}
}
+#endif
#ifndef OPENSSL_NO_DH
/* store a NULL pointer to indicate we have not yet loaded
projects / thirdparty / haproxy.git / commitdiff
