BUILD/MINOR: ssl: Fix compilation with OpenSSL 1.0.2
The X509_STORE_CTX_get0_cert did not exist yet on OpenSSL 1.0.2 and
neither did X509_STORE_CTX_get0_chain, which was not actually needed
since its get1 equivalent already existed.
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 983ee03..eb96703 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -291,6 +291,11 @@
{
return x->revocationDate;
}
+
+static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+ return ctx->cert;
+}
#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bc82783..83003d9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1592,14 +1592,12 @@
* chain, we might never call this verify callback on the client
* certificate's depth (which is 0) so we try to store the
* reference right now. */
- if (X509_STORE_CTX_get0_chain(x_store) != NULL) {
- certs = X509_STORE_CTX_get1_chain(x_store);
- if (certs) {
- client_crt = sk_X509_value(certs, 0);
- if (client_crt) {
- X509_up_ref(client_crt);
- SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
- }
+ certs = X509_STORE_CTX_get1_chain(x_store);
+ if (certs) {
+ client_crt = sk_X509_value(certs, 0);
+ if (client_crt) {
+ X509_up_ref(client_crt);
+ SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
}
sk_X509_pop_free(certs, X509_free);
}