BUG/MEDIUM: ssl: never generates the chain from the verify store
In bug #781 it was reported that HAProxy completes the certificate chain
using the verify store in the case there is no chain.
Indeed, according to OpenSSL documentation, when generating the chain,
OpenSSL use the chain store OR the verify store in the case there is no
chain store.
As a workaround, this patch always put a NULL chain in the SSL_CTX so
OpenSSL does not tries to complete it.
This must be backported in all branches, the code could be different,
the important part is to ALWAYS set a chain, and uses sk_X509_new_null()
if the chain is NULL.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f8001c5..bb28f18 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2985,15 +2985,20 @@
find_chain = issuer->chain;
}
+ if (!find_chain) {
+ /* always put a null chain stack in the SSL_CTX so it does not
+ * try to build the chain from the verify store */
+ find_chain = sk_X509_new_null();
+ }
+
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
- if (find_chain)
#ifdef SSL_CTX_set1_chain
- if (!SSL_CTX_set1_chain(ctx, find_chain)) {
- memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
- err && *err ? *err : "", path);
- errcode |= ERR_ALERT | ERR_FATAL;
- goto end;
- }
+ if (!SSL_CTX_set1_chain(ctx, find_chain)) {
+ memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+ err && *err ? *err : "", path);
+ errcode |= ERR_ALERT | ERR_FATAL;
+ goto end;
+ }
#else
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;