From f3dfd95aa2271c005414afbf840a128828fb92fb Mon Sep 17 00:00:00 2001 From: Valentine Krasnobaeva Date: Thu, 11 Jul 2024 17:46:56 +0200 Subject: [PATCH] MEDIUM: ocsp: fix ocsp when the chain is loaded from 'issuers-chain-path' This fixes OCSP, when issuer chain is in a separate PEM file. This is a case of issuers-chain-path keyword, which points to folder that contains only PEM with RootCA and IntermediateCA. Before this patch, the chain from 'issuers-chain-path' was applied directly to the SSL_CTX without being applied to the data->chain structure. This would work for SSL traffic, but every tests done with data->chain would fail, OCSP included, because the chain would be NULL. This patch moves the loading of the chain from ssl_sock_load_cert_chain(), which is the function that applies the chain to the SSL_CTX, to ssl_sock_load_pem_into_ckch() which is the function that loads the files into the ckch_data structure. Fixes issue #2635 but it changes thing on the CLI, so that's not backportable. --- src/ssl_ckch.c | 9 +++++++++ src/ssl_sock.c | 6 ------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b178078d8a..4fb119718c 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -647,6 +647,15 @@ int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct ckch_data *d } } + /* If we couldn't find a chain, we should try to look for a corresponding chain in 'issuers-chain-path' */ + if (chain == NULL) { + struct issuer_chain *issuer_chain; + issuer_chain = ssl_get0_issuer_chain(cert); + if (issuer_chain) { + chain = X509_chain_up_ref(issuer_chain->chain); + } + } + ret = ERR_get_error(); if (ret && !(ERR_GET_LIB(ret) == ERR_LIB_PEM && ERR_GET_REASON(ret) == PEM_R_NO_START_LINE)) { memprintf(err, "%sunable to load certificate chain from file '%s': %s\n", diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 08aa282735..904aa3a753 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2613,12 +2613,6 @@ static int ssl_sock_load_cert_chain(const char *path, const struct ckch_data *da if (data->chain) { *find_chain = X509_chain_up_ref(data->chain); - } else { - /* Find Certificate Chain in global */ - struct issuer_chain *issuer; - issuer = ssl_get0_issuer_chain(data->cert); - if (issuer) - *find_chain = X509_chain_up_ref(issuer->chain); } if (!*find_chain) { -- 2.39.5