Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Sergey Kandaurov
December 18, 2023 05:10PM
> On 24 Nov 2023, at 00:29, Ilya Shipitsin <chipitsine@gmail.com> wrote:
>
> # HG changeset patch
> # User Ilya Shipitsin <chipitsine@gmail.com>
> # Date 1700769135 -3600
> # Thu Nov 23 20:52:15 2023 +0100
> # Node ID 2001e73ce136d5bfc9bde27d338865b14b8ad436
> # Parent 7ec761f0365f418511e30b82e9adf80bc56681df
> ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

style: SSL prefix should be uppercase.

>
> diff -r 7ec761f0365f -r 2001e73ce136 src/event/ngx_event_openssl_stapling.c
> --- a/src/event/ngx_event_openssl_stapling.c Thu Oct 26 23:35:09 2023 +0300
> +++ b/src/event/ngx_event_openssl_stapling.c Thu Nov 23 20:52:15 2023 +0100
> @@ -893,7 +893,8 @@
> ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
> ocsp->conf = ocf;
>
> -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
> +/* minimum OpenSSL 1.1.1 & LibreSSL 3.3.6 */
> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x3030600L))
>
> ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
>

Testing "defined(LIBRESSL_VERSION_NUMBER)" is superfluous.
The macro test suffers from a very long line.

The correct version test seems to be against LibreSSL 3.5.0, see
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt

So, the resulting change would be as follows:

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -893,7 +893,9 @@ ngx_ssl_ocsp_validate(ngx_connection_t *
ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
ocsp->conf = ocf;

-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L \
+ && !defined LIBRESSL_VERSION_NUMBER) \
+ || LIBRESSL_VERSION_NUMBER >= 0x3050000fL

ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);


On the other hand, I don't like the resulting style mudness.
It may have sense just to drop old LibreSSL versions support:
maintaining one or two most recent stable branches should be enough.

But anyway, I don't see an obvious win over the existing code:
the certificate chain is reconstructed if SSL_get0_verified_chain()
is (detected to be) not present, which should be fine in most cases.

That said, it doesn't seem to deserve introducing 3-line macro test,
or (see OTOH note) breaking old LibreSSL support for no apparent reason.

--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Ilya Shipitsin 504 November 23, 2023 03:30PM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Sergey Kandaurov 102 December 18, 2023 05:10PM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Maxim Dounin 115 December 19, 2023 04:00AM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Илья Шипицин 95 December 19, 2023 06:18AM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Maxim Dounin 106 December 19, 2023 12:56PM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Sergey Kandaurov 101 December 19, 2023 01:46PM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Maxim Dounin 106 December 20, 2023 05:42PM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Sergey Kandaurov 111 December 22, 2023 08:54AM

Re: [PATCH] ssl: SSL_get0_verified_chain is available for LibreSSL >= 3.3.6

Maxim Dounin 142 December 23, 2023 04:32PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 123
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready