This fixes OCSP, when issuer chain is in a separate PEM file. This is a
case of issuers-chain-path keyword, which points to folder that contains only
PEM with RootCA and IntermediateCA.
Before this patch, the chain from 'issuers-chain-path' was applied
directly to the SSL_CTX without being applied to the data->chain
structure. This would work for SSL traffic, but every tests done with
data->chain would fail, OCSP included, because the chain would be NULL.
This patch moves the loading of the chain from
ssl_sock_load_cert_chain(), which is the function that applies the chain
to the SSL_CTX, to ssl_sock_load_pem_into_ckch() which is the function
that loads the files into the ckch_data structure.
Fixes issue #2635 but it changes thing on the CLI, so that's not
backportable.
}
}
+ /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */
+ if (chain == NULL) {
+ struct issuer_chain *issuer_chain;
+ issuer_chain = ssl_get0_issuer_chain(cert);
+ if (issuer_chain) {
+ chain = X509_chain_up_ref(issuer_chain->chain);
+ }
+ }
+
ret = ERR_get_error();
if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) {
memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
if (data->chain) {
*find_chain = X509_chain_up_ref(data->chain);
- } else {
- /* Find Certificate Chain in global */
- struct issuer_chain *issuer;
- issuer = ssl_get0_issuer_chain(data->cert);
- if (issuer)
- *find_chain = X509_chain_up_ref(issuer->chain);
}
if (!*find_chain) {
projects / thirdparty / haproxy.git / commitdiff
