From: Valentine Krasnobaeva Date: Thu, 11 Jul 2024 15:46:56 +0000 (+0200) Subject: MEDIUM: ocsp: fix ocsp when the chain is loaded from 'issuers-chain-path' X-Git-Tag: v3.1-dev4~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3dfd95a;p=thirdparty%2Fhaproxy.git MEDIUM: ocsp: fix ocsp when the chain is loaded from 'issuers-chain-path' This fixes OCSP, when issuer chain is in a separate PEM file. This is a case of issuers-chain-path keyword, which points to folder that contains only PEM with RootCA and IntermediateCA. Before this patch, the chain from 'issuers-chain-path' was applied directly to the SSL_CTX without being applied to the data->chain structure. This would work for SSL traffic, but every tests done with data->chain would fail, OCSP included, because the chain would be NULL. This patch moves the loading of the chain from ssl_sock_load_cert_chain(), which is the function that applies the chain to the SSL_CTX, to ssl_sock_load_pem_into_ckch() which is the function that loads the files into the ckch_data structure. Fixes issue #2635 but it changes thing on the CLI, so that's not backportable. --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b178078d8a..4fb119718c 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -647,6 +647,15 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d } } + /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */ + if (chain == NULL) { + struct issuer_chain *issuer_chain; + issuer_chain = ssl_get0_issuer_chain(cert); + if (issuer_chain) { + chain = X509_chain_up_ref(issuer_chain->chain); + } + } + ret = ERR_get_error(); if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) { memprintf(err, "%sunable to load certificate chain from file '%s': %s\n", diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 08aa282735..904aa3a753 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2613,12 +2613,6 @@ static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *da if (data->chain) { *find_chain = X509_chain_up_ref(data->chain); - } else { - /* Find Certificate Chain in global */ - struct issuer_chain *issuer; - issuer = ssl_get0_issuer_chain(data->cert); - if (issuer) - *find_chain = X509_chain_up_ref(issuer->chain); } if (!*find_chain) {