mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-27 23:22:09 +00:00
MINOR: ssl: skip self issued CA in cert chain for ssl_ctx
First: self issued CA, aka root CA, is the enchor for chain validation, no need to send it, client must have it. HAProxy can skip it in ssl_ctx. Second: the main motivation to skip root CA in ssl_ctx is to be able to provide it in the chain without drawback. Use case is to provide issuer for ocsp without the need for .issuer and be able to share it in issuers-chain-path. This concerns all certificates without intermediate certificates. It's useless for BoringSSL, .issuer is ignored because ocsp bits doesn't need it.
This commit is contained in:
parent
37950c8d27
commit
1673977892
@ -3634,12 +3634,15 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
|
||||
find_chain = issuer->chain;
|
||||
}
|
||||
|
||||
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
|
||||
/* Load all certs from chain, except Root, in the ssl_ctx */
|
||||
if (find_chain) {
|
||||
int i;
|
||||
X509 *ca;
|
||||
for (i = 0; i < sk_X509_num(find_chain); i++) {
|
||||
ca = sk_X509_value(find_chain, i);
|
||||
/* skip self issued (Root CA) */
|
||||
if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca)))
|
||||
continue;
|
||||
/*
|
||||
SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2
|
||||
Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)
|
||||
|
Loading…
Reference in New Issue
Block a user