From 16739778923bbd3f827a8e9ce760c4caa831b5b8 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Fri, 28 Feb 2020 16:00:34 +0100 Subject: [PATCH] MINOR: ssl: skip self issued CA in cert chain for ssl_ctx First: self issued CA, aka root CA, is the enchor for chain validation, no need to send it, client must have it. HAProxy can skip it in ssl_ctx. Second: the main motivation to skip root CA in ssl_ctx is to be able to provide it in the chain without drawback. Use case is to provide issuer for ocsp without the need for .issuer and be able to share it in issuers-chain-path. This concerns all certificates without intermediate certificates. It's useless for BoringSSL, .issuer is ignored because ocsp bits doesn't need it. --- src/ssl_sock.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 46aae7f12..d2e59482b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3634,12 +3634,15 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an find_chain = issuer->chain; } - /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ + /* Load all certs from chain, except Root, in the ssl_ctx */ if (find_chain) { int i; X509 *ca; for (i = 0; i < sk_X509_num(find_chain); i++) { ca = sk_X509_value(find_chain, i); + /* skip self issued (Root CA) */ + if (!X509_NAME_cmp(X509_get_subject_name(ca), X509_get_issuer_name(ca))) + continue; /* SSL_CTX_add1_chain_cert could be used with openssl >= 1.0.2 Used SSL_CTX_add_extra_chain_cert for compat (aka SSL_CTX_add0_chain_cert)