BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2
The previous fix for ssl-skip-self-issued-ca requires the use of
SSL_CTX_build_cert_chain() which is only available starting from OpenSSL
1.0.2
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 98ec939..b6de695 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1426,7 +1426,7 @@
issuer for ocsp without the need for '.issuer' file and be able to share it
with 'issuers-chain-path'. This concerns all certificates without intermediate
certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
- bits does not need it.
+ bits does not need it. Requires at least OpenSSL 1.0.2.
stats socket [<address:port>|<path>] [param*]
Binds a UNIX socket to <path> or a TCPv4/v6 address to <address:port>.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 060be5a..d22ae96 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1698,8 +1698,13 @@
struct proxy *defpx, const char *file, int line,
char **err)
{
+#ifdef SSL_CTX_build_cert_chain
global_ssl.skip_self_issued_ca = 1;
return 0;
+#else
+ memprintf(err, "global statement '%s' requires at least OpenSSL 1.0.2.", args[0]);
+ return -1;
+#endif
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0f4eabb..f8001c5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3011,6 +3011,7 @@
}
#endif
+#ifdef SSL_CTX_build_cert_chain
/* remove the Root CA from the SSL_CTX if the option is activated */
if (global_ssl.skip_self_issued_ca) {
if (!SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT|SSL_BUILD_CHAIN_FLAG_UNTRUSTED|SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR)) {
@@ -3020,6 +3021,7 @@
goto end;
}
}
+#endif
#ifndef OPENSSL_NO_DH
/* store a NULL pointer to indicate we have not yet loaded