From 432cd1a7f824fb863ab5252d38e1c931044bd93e Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Tue, 25 Oct 2022 15:55:13 +0200
Subject: [PATCH] MEDIUM: ssl: be stricter about chain error

The error check on certificate chain was ignoring all decoding error,
silently ignoring some errors.

This patch fixes the issue by being stricter on errors when reading the
chain, this is a change of behavior, it could break existing setup that
has a wrong chain.
---
 src/ssl_ckch.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 61ffbc08f3..1df6b967fc 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -626,14 +626,16 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_key_and
 	while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
 		if (chain == NULL)
 			chain = sk_X509_new_null();
+		if (ca == NULL)
+			break;
 		if (!sk_X509_push(chain, ca)) {
 			X509_free(ca);
-			goto end;
+			break;
 		}
 	}
 
 	ret = ERR_get_error();
-	if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
+	if (ret && (ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
 		memprintf(err, "%sunable to load certificate chain from file '%s': %s\n",
 		          err && *err ? *err : "", path, ERR_reason_error_string(ret));
 		goto end;
-- 
2.39.5