RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-30 01:52:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain

Browse Source 
If the ocsp issuer certificate was actually taken from the certificate
chain in ssl_sock_load_ocsp, we don't need to keep an extra reference on
it since we already keep a reference to the full certificate chain.
This commit is contained in:
Remi Tricot-Le Breton 2023-01-09 12:02:44 +01:00 committed by William Lallemand
parent 8bdd0050e2
commit 112b16a4d0
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ssl_sock.c
View File

@ -1244,8 +1244,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
/* Do not insert the same certificate_ocsp structure in the
* update tree more than once. */
if (!ocsp) {
iocsp->issuer = issuer;
X509_up_ref(issuer);
/* Issuer certificate is not included in the certificate
* chain, it will have to be treated separately during
* ocsp response validation. */
if (issuer == data->ocsp_issuer) {
iocsp->issuer = issuer;
X509_up_ref(issuer);
}
if (data->chain)
iocsp->chain = X509_chain_up_ref(data->chain);