RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-19 13:35:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: add extra chain compatibility

Browse Source 
cert_key_and_chain handling is now outside openssl 1.0.2 #if: the
code must be libssl compatible. SSL_CTX_add1_chain_cert and
SSL_CTX_set1_chain requires openssl >= 1.0.2, replace it by legacy
SSL_CTX_add_extra_chain_cert when SSL_CTX_set1_chain is not provided.
This commit is contained in:
Emmanuel Hocdet 2018-12-03 18:07:44 +01:00 committed by William Lallemand
parent 9246f8bc83
commit 1c65fdd50e
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/ssl_sock.c
View File

@ -3045,11 +3045,24 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
#ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path);
return 1;
}
#else
{ /* legacy compat (< openssl 1.0.2) */
X509 *ca;
while ((ca = sk_X509_shift(ckch->chain)))
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
X509_free(ca);
return 1;
}
}
#endif
if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",