MINOR: ssl: skip self issued CA in cert chain for ssl_ctx
First: self issued CA, aka root CA, is the enchor for chain validation,
no need to send it, client must have it. HAProxy can skip it in ssl_ctx.
Second: the main motivation to skip root CA in ssl_ctx is to be able to
provide it in the chain without drawback. Use case is to provide issuer
for ocsp without the need for .issuer and be able to share it in
issuers-chain-path. This concerns all certificates without intermediate
certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
bits doesn't need it.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 46aae7f..d2e5948 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3634,12 +3634,15 @@
find_chain = issuer->chain;
}
- /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+ /* Load all certs from chain, except Root, in the ssl_ctx */
if (find_chain) {
int i;
X509 *ca;
for (i = 0; i < sk_X509_num(find_chain); i++) {
ca = sk_X509_value(find_chain, i);
+ /* skip self issued (Root CA) */
+ if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
+ continue;
/*
SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)