MINOR: ssl: skip self issued CA in cert chain for ssl_ctx

First: self issued CA, aka root CA, is the enchor for chain validation, no need to send it, client must have it. HAProxy can skip it in ssl_ctx. Second: the main motivation to skip root CA in ssl_ctx is to be able to provide it in the chain without drawback. Use case is to provide issuer for ocsp without the need for .issuer and be able to share it in issuers-chain-path. This concerns all certificates without intermediate certificates. It's useless for BoringSSL, .issuer is ignored because ocsp bits doesn't need it.
2024-12-17 00:44:33 +00:00 · 2020-02-28 16:00:34 +01:00 · 2020-02-28 16:00:34 +01:00 · 1673977892
commit 1673977892
parent 37950c8d27
1 changed files with 4 additions and 1 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -3634,12 +3634,15 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 			find_chain = issuer->chain;
 	}

-	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+	/* Load all certs from chain, except Root, in the ssl_ctx */
 	if (find_chain) {
 		int i;
 		X509 *ca;
 		for (i = 0; i < sk_X509_num(find_chain); i++) {
 			ca = sk_X509_value(find_chain, i);
+			/* skip self issued (Root CA) */
+			if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
+				continue;
 			/*
 			   SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
 			   Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)