commit f187ce68b1c0f5d2ba8434657ddd34dabf3f7ef3
author William Lallemand <wlallemand@haproxy.com> Tue Jun 02 18:27:20 2020 +0200
committer William Lallemand <wlallemand@haproxy.org> Tue Jun 02 18:37:42 2020 +0200
tree 00b4a1e72adc973d0c2429bd1eb436baca3353db
parent 39bd740d005fbe03a29a56851576b5e16a9b62f9

Revert "MINOR: ssl: rework add cert chain to CTX to be libssl independent"

This reverts commit 4fed93eb725b513dd3b2029daa888311db110851.

This commit was simplifying the certificate chain loading with
SSL_CTX_add_extra_chain_cert() which is available in all SSL libraries.
Unfortunately this function is not compatible with the
multi-certificates bundles, which have the effect of concatenating the
chains of all certificate types instead of creating a chain for each
type (RSA, ECDSA etc.)

Should fix issue #655.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8f16463..83cb2cb 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2917,29 +2917,31 @@
 			find_chain = issuer->chain;
 	}
 
-	/* Load all certs from chain, except Root, in the ssl_ctx */
-	if (find_chain) {
-		int i;
+	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+	if (find_chain)
+#ifdef SSL_CTX_set1_chain
+		if (!SSL_CTX_set1_chain(ctx, find_chain)) {
+			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+				  err && *err ? *err : "", path);
+			errcode |= ERR_ALERT | ERR_FATAL;
+			goto end;
+		}
+#else
+	{ /* legacy compat (< openssl 1.0.2) */
 		X509 *ca;
-		for (i = 0; i < sk_X509_num(find_chain); i++) {
-			ca = sk_X509_value(find_chain, i);
-			/* skip self issued (Root CA) */
-			if (global_ssl.skip_self_issued_ca && !X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
-				continue;
-			/*
-			   SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
-			   Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)
-			*/
-			X509_up_ref(ca);
+		STACK_OF(X509) *chain;
+		chain = X509_chain_up_ref(find_chain);
+		while ((ca = sk_X509_shift(chain)))
 			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
-				X509_free(ca);
 				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
 					  err && *err ? *err : "", path);
+				X509_free(ca);
+				sk_X509_pop_free(chain, X509_free);
 				errcode |= ERR_ALERT | ERR_FATAL;
 				goto end;
 			}
-		}
 	}
+#endif
 
 #ifndef OPENSSL_NO_DH
 	/* store a NULL pointer to indicate we have not yet loaded