Welcome! Log In Create A New Profile

Advanced

[PATCH] fix/unify access to SSL_CTX certificate chains

Elias Ohm via nginx-devel
May 13, 2019 02:18AM
src/event/ngx_event_openssl_stapling.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)


# HG changeset patch
# User Elias Ohm <eohm@novomind.com>
# Date 1557697215 -7200
# Sun May 12 23:40:15 2019 +0200
# Node ID 6c1d44aa7054fb130ece5432119d04971b586795
# Parent 16a1adadf43751f59257ba419f6bacd530dd19d3
fix/unify access to SSL_CTX certificate chains

for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is always global to the context.

reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions).
however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls back to read chain_certs when no extra_certs are available but breaks for some other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here.

diff -r 16a1adadf437 -r 6c1d44aa7054 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Wed Apr 24 16:38:56 2019 +0300
+++ b/src/event/ngx_event_openssl_stapling.c Sun May 12 23:40:15 2019 +0200
@@ -298,7 +298,10 @@
SSL_CTX_select_current_cert(ssl->ctx, cert);
#endif

-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+#ifdef SSL_CTX_get0_chain_certs
+ /* OpenSSL 1.0.2+ */
+ SSL_CTX_get0_chain_certs(ssl->ctx, &chain);
+#elif SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
#else
@@ -655,7 +658,10 @@
SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert);
#endif

-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+#ifdef SSL_CTX_get0_chain_certs
+ /* OpenSSL 1.0.2+ */
+ SSL_CTX_get0_chain_certs(staple->ssl_ctx, &chain);
+#elif SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
#else
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] fix/unify access to SSL_CTX certificate chains

Elias Ohm via nginx-devel 53 May 13, 2019 02:18AM

Re: [PATCH] fix/unify access to SSL_CTX certificate chains

Maxim Dounin 35 May 13, 2019 08:32AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 87
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready