From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 25 Feb 2020 13:07:58 +0000 (+0100)
Subject: MINOR: ssl/cli: reorder 'show ssl cert' output
X-Git-Tag: v2.2-dev3~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a90e593a7aa644ff5f4f70f5df4efe1b2dd48cb7;p=thirdparty%2Fhaproxy.git

MINOR: ssl/cli: reorder 'show ssl cert' output

Reorder the 'show ssl cert' output so it's easier to see if the whole
chain is correct.

For a chain to be correct, an "Issuer" line must have the same
content as the next "Subject" line.

Example:

  Subject: /C=FR/ST=Paris/O=HAProxy Test Certificate/CN=test.haproxy.local
  Issuer: /C=FR/ST=Paris/O=HAProxy Test Intermediate CA 2/CN=ca2.haproxy.local
  Chain Subject: /C=FR/ST=Paris/O=HAProxy Test Intermediate CA 2/CN=ca2.haproxy.local
  Chain Issuer: /C=FR/ST=Paris/O=HAProxy Test Intermediate CA 1/CN=ca1.haproxy.local
  Chain Subject: /C=FR/ST=Paris/O=HAProxy Test Intermediate CA 1/CN=ca1.haproxy.local
  Chain Issuer: /C=FR/ST=Paris/O=HAProxy Test Root CA/CN=root.haproxy.local
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 94fff9b0ff..38b30977c0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10680,24 +10680,6 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
 		BIO_free(bio);
 		chunk_appendf(out, "%s\n", tmp->area);
 
-
-		chunk_appendf(out, "Issuer: ");
-		if ((name = X509_get_issuer_name(ckchs->ckch->cert)) == NULL)
-			goto end;
-		if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
-			goto end;
-		*(tmp->area + tmp->data) = '\0';
-		chunk_appendf(out, "%s\n", tmp->area);
-
-		chunk_appendf(out, "Subject: ");
-		if ((name = X509_get_subject_name(ckchs->ckch->cert)) == NULL)
-			goto end;
-		if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
-			goto end;
-		*(tmp->area + tmp->data) = '\0';
-		chunk_appendf(out, "%s\n", tmp->area);
-
-
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 		chunk_appendf(out, "Subject Alternative Name: ");
 		if (ssl_sock_get_san_oneline(ckchs->ckch->cert, out) == -1)
@@ -10719,6 +10701,22 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
 		dump_binary(out, tmp->area, tmp->data);
 		chunk_appendf(out, "\n");
 
+		chunk_appendf(out, "Subject: ");
+		if ((name = X509_get_subject_name(ckchs->ckch->cert)) == NULL)
+			goto end;
+		if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
+			goto end;
+		*(tmp->area + tmp->data) = '\0';
+		chunk_appendf(out, "%s\n", tmp->area);
+
+		chunk_appendf(out, "Issuer: ");
+		if ((name = X509_get_issuer_name(ckchs->ckch->cert)) == NULL)
+			goto end;
+		if ((ssl_sock_get_dn_oneline(name, tmp)) == -1)
+			goto end;
+		*(tmp->area + tmp->data) = '\0';
+		chunk_appendf(out, "%s\n", tmp->area);
+
 		/* Displays subject of each certificate in the chain */
 		for (i = 0; i < sk_X509_num(ckchs->ckch->chain); i++) {
 			X509 *ca = sk_X509_value(ckchs->ckch->chain, i);