Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 935d8294d5a4671ec01256b4129b5bc3ce5ab00e
commit935d8294d5a4671ec01256b4129b5bc3ce5ab00e[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Wed Aug 12 20:02:10 2020 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Aug 12 20:10:50 2020 +0200
treeec2804e83b3fa28876b6ac37839fdec4b51c944e
parenta6d9879e69d65e8821347860394829c4dc72f937 [diff]
BUG/MEDIUM: ssl: never generates the chain from the verify store

In bug #781 it was reported that HAProxy completes the certificate chain
using the verify store in the case there is no chain.

Indeed, according to OpenSSL documentation, when generating the chain,
OpenSSL use the chain store OR the verify store in the case there is no
chain store.

As a workaround, this patch always put a NULL chain in the SSL_CTX so
OpenSSL does not tries to complete it.

This must be backported in all branches, the code could be different,
the important part is to ALWAYS set a chain, and uses sk_X509_new_null()
if the chain is NULL.
1 file changed
tree: ec2804e83b3fa28876b6ac37839fdec4b51c944e
  1. .github/
  2. contrib/
  3. doc/
  4. examples/
  5. include/
  6. reg-tests/
  7. scripts/
  8. src/
  9. tests/
  10. .cirrus.yml
  11. .gitignore
  12. .travis.yml
  13. BRANCHES
  14. CHANGELOG
  15. CONTRIBUTING
  16. INSTALL
  17. LICENSE
  18. MAINTAINERS
  19. Makefile
  20. README
  21. ROADMAP
  22. SUBVERS
  23. VERDATE
  24. VERSION