You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2016/06/30 00:34:12 UTC

[jira] [Created] (TS-4619) intermediate certificate chain loading can miss certificates

James Peach created TS-4619:
-------------------------------

             Summary: intermediate certificate chain loading can miss certificates
                 Key: TS-4619
                 URL: https://issues.apache.org/jira/browse/TS-4619
             Project: Traffic Server
          Issue Type: Bug
          Components: SSL
            Reporter: James Peach


When loading intermediate SSL certificates, the original code used {{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the file.

The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509 *}}, so it only ends up loading the first intermediate rather than all of them.

This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do here is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and inside {{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}} if it is available.

Also take a look at the place where the server certificate is loaded. This is also allowed to be a bundle, so we can call {{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication, though at this point we already have a {{BIO}} in hand that we would need to use.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)