RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: chain must be initialized with sk_X509_new_null() 

Even when there isn't a chain, it must be initialized to a empty X509
structure with sk_X509_new_null().

This patch fixes a segfault which appears with older versions of the SSL
libs (openssl 0.9.8, libressl 2.8.3...) because X509_chain_up_ref() does
not check the pointer.

This bug was introduced by b90d2cb ("MINOR: ssl: resolve issuers chain
later").

Should fix issue #516.
This commit is contained in:
William Lallemand 2020-02-27 14:48:35 +01:00 committed by William Lallemand
parent 530408f976
commit 858885737c
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -3629,6 +3629,11 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
if (issuer)
find_chain = issuer->chain;
}
/* If we didn't find a chain we *MUST* use an empty X509 structure */
if (find_chain == NULL)
find_chain = sk_X509_new_null();
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
#ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, find_chain)) {