RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: skip self issued CA in cert chain for ssl_ctx 

First: self issued CA, aka root CA, is the enchor for chain validation,
no need to send it, client must have it. HAProxy can skip it in ssl_ctx.
Second: the main motivation to skip root CA in ssl_ctx is to be able to
provide it in the chain without drawback. Use case is to provide issuer
for ocsp without the need for .issuer and be able to share it in
issuers-chain-path. This concerns all certificates without intermediate
certificates. It's useless for BoringSSL, .issuer is ignored because ocsp
bits doesn't need it.
This commit is contained in:
Emmanuel Hocdet 2020-02-28 16:00:34 +01:00 committed by William Lallemand
parent 37950c8d27
commit 1673977892
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -3634,12 +3634,15 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
find_chain = issuer->chain;
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
/* Load all certs from chain, except Root, in the ssl_ctx */
if (find_chain) {
int i;
X509 *ca;
for (i = 0; i < sk_X509_num(find_chain); i++) {
ca = sk_X509_value(find_chain, i);
/* skip self issued (Root CA) */
if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
continue;
/*
SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)