MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain If the ocsp issuer certificate was actually taken from the certificate chain in ssl_sock_load_ocsp, we don't need to keep an extra reference on it since we already keep a reference to the full certificate chain.

commit: 112b16a4d01b61781b51639715676b18676c3a6f [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Mon Jan 09 12:02:44 2023 +0100
committer: William Lallemand <wlallemand@haproxy.org> Mon Jan 09 15:43:41 2023 +0100
tree: 189a6b5ba9581e479028b1f156bb698196d59eb2
parent: 8bdd0050e2f3419a61721d281b7216c628d10722 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bf7bb01..efa31ea 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1244,8 +1244,13 @@
 		/* Do not insert the same certificate_ocsp structure in the
 		 * update tree more than once. */
 		if (!ocsp) {
-			iocsp->issuer = issuer;
-			X509_up_ref(issuer);
+			/* Issuer certificate is not included in the certificate
+			 * chain, it will have to be treated separately during
+			 * ocsp response validation. */
+			if (issuer == data->ocsp_issuer) {
+				iocsp->issuer = issuer;
+				X509_up_ref(issuer);
+			}
 			if (data->chain)
 				iocsp->chain = X509_chain_up_ref(data->chain);
commit	112b16a4d01b61781b51639715676b18676c3a6f	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Mon Jan 09 12:02:44 2023 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Mon Jan 09 15:43:41 2023 +0100
tree	189a6b5ba9581e479028b1f156bb698196d59eb2
parent	8bdd0050e2f3419a61721d281b7216c628d10722 [diff]