BUG/MEDIUM: ssl: chain must be initialized with sk_X509_new_null() Even when there isn't a chain, it must be initialized to a empty X509 structure with sk_X509_new_null(). This patch fixes a segfault which appears with older versions of the SSL libs (openssl 0.9.8, libressl 2.8.3...) because X509_chain_up_ref() does not check the pointer. This bug was introduced by b90d2cb ("MINOR: ssl: resolve issuers chain later"). Should fix issue #516.

commit: 858885737c1d2672d5b1ba80a58c0bb585a0b981 [log] [tgz]
author: William Lallemand <wlallemand@haproxy.com> Thu Feb 27 14:48:35 2020 +0100
committer: William Lallemand <wlallemand@haproxy.org> Thu Feb 27 14:48:35 2020 +0100
tree: b49a03fe297ea804f96316da99395e1e5656f6b1
parent: 530408f976e5fe2f2f2b4b733b39da36770b566f [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 80356aa..577f785 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3629,6 +3629,11 @@
 		if (issuer)
 			find_chain = issuer->chain;
 	}
+
+	/* If we didn't find a chain we *MUST* use an empty X509 structure */
+	if (find_chain == NULL)
+		find_chain = sk_X509_new_null();
+
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
 #ifdef SSL_CTX_set1_chain
         if (!SSL_CTX_set1_chain(ctx, find_chain)) {
commit	858885737c1d2672d5b1ba80a58c0bb585a0b981	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.com>	Thu Feb 27 14:48:35 2020 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Thu Feb 27 14:48:35 2020 +0100
tree	b49a03fe297ea804f96316da99395e1e5656f6b1
parent	530408f976e5fe2f2f2b4b733b39da36770b566f [diff]