Revert "MINOR: ssl: rework add cert chain to CTX to be libssl independent"

This reverts commit 4fed93eb725b513dd3b2029daa888311db110851.

This commit was simplifying the certificate chain loading with
SSL_CTX_add_extra_chain_cert() which is available in all SSL libraries.
Unfortunately this function is not compatible with the
multi-certificates bundles, which have the effect of concatenating the
chains of all certificate types instead of creating a chain for each
type (RSA, ECDSA etc.)

Should fix issue #655.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8f16463ca25c4af1fbed8505bcb3fe140feafc67..83cb2cb7a0429f4d645d98d8e3bca46d109df081 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2917,29 +2917,31 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
                        find_chain = issuer->chain;
        }
 
-       /* Load all certs from chain, except Root, in the ssl_ctx */
-       if (find_chain) {
-               int i;
+       /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+       if (find_chain)
+#ifdef SSL_CTX_set1_chain
+               if (!SSL_CTX_set1_chain(ctx, find_chain)) {
+                       memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+                                 err && *err ? *err : "", path);
+                       errcode |= ERR_ALERT | ERR_FATAL;
+                       goto end;
+               }
+#else
+       { /* legacy compat (< openssl 1.0.2) */
                X509 *ca;
-               for (i = 0; i < sk_X509_num(find_chain); i++) {
-                       ca = sk_X509_value(find_chain, i);
-                       /* skip self issued (Root CA) */
-                       if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
-                               continue;
-                       /*
-                          SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
-                          Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)
-                       */
-                       X509_up_ref(ca);
+               STACK_OF(X509) *chain;
+               chain = X509_chain_up_ref(find_chain);
+               while ((ca = sk_X509_shift(chain)))
                        if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
-                               X509_free(ca);
                                memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
                                          err && *err ? *err : "", path);
+                               X509_free(ca);
+                               sk_X509_pop_free(chain, X509_free);
                                errcode |= ERR_ALERT | ERR_FATAL;
                                goto end;
                        }
-               }
        }
+#endif
 
 #ifndef OPENSSL_NO_DH
        /* store a NULL pointer to indicate we have not yet loaded