From 081be7ebf85eae6a1c0f1d44a878096d2c5d6cd8 Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Fri, 23 Jan 2015 11:27:47 +0200 Subject: [PATCH] Add missing root CAs when validating chains that passed internal checks. When internal checks found no certificate errors, Squid does not include root CA certificate in certificates chain sent to the certificate validator. Squid just sent the certificates chain sent by the SSL server. This patch stores the full certificates list built by OpenSSL while validating the SSL server certificates chain, even if no certificate error found and sends this list to certificate validator. This is a Measurement Factory project --- src/ssl/support.cc | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 3dae5b006a..34043ad39a 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -313,16 +313,19 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) // pass them to certficate validator for more processing else if (Ssl::TheConfig.ssl_crt_validator) { ok = 1; - // Check if we have stored certificates chain. Store if not. - if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { - STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); - if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) - sk_X509_pop_free(certStack, X509_free); - } } } } + if (Ssl::TheConfig.ssl_crt_validator) { + // Check if we have stored certificates chain. Store if not. + if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { + STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); + if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) + sk_X509_pop_free(certStack, X509_free); + } + } + if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { // Find the broken certificate. It may be intermediate. -- 2.47.3