Repository: trafficserver Updated Branches: refs/heads/master ba1c77c26 -> 99fabae49
TS-3027: add hashed intermediate certificate support if ssl_ca_name= is configured in ssl_multicert.config use that to build the cert chain else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path) use that file to build the chain else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL) use the hashed symlinks in that directory to build the chain else error out because we don't have the right configuration to build the chain Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5b1b1e06 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5b1b1e06 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5b1b1e06 Branch: refs/heads/master Commit: 5b1b1e06755029e0bbb41a1000124dd356d14bde Parents: ba1c77c Author: Steven Feltner <steven.felt...@gmail.com> Authored: Fri Aug 22 12:54:29 2014 -0700 Committer: James Peach <jpe...@apache.org> Committed: Fri Aug 22 12:54:29 2014 -0700 ---------------------------------------------------------------------- iocore/net/SSLUtils.cc | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5b1b1e06/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 0d85a49..9992ac2 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1069,6 +1069,27 @@ SSLInitServerContext( goto fail; } } + + // SSL_CTX_load_verify_locations() builds the cert chain from the + // serverCACertFilename if that is not NULL. Otherwise, it uses the hashed + // symlinks in serverCACertPath. + // + // if ssl_ca_name is NOT configured for this cert in ssl_multicert.config + // AND + // if proxy.config.ssl.CA.cert.filename and proxy.config.ssl.CA.cert.path + // are configured + // pass that file as the chain (include all certs in that file) + // else if proxy.config.ssl.CA.cert.path is configured (and + // proxy.config.ssl.CA.cert.filename is NULL) + // use the hashed symlinks in that directory to build the chain + if (!sslMultCertSettings.ca && params->serverCACertPath != NULL) { + if ((!SSL_CTX_load_verify_locations(ctx, params->serverCACertFilename, params->serverCACertPath)) || + (!SSL_CTX_set_default_verify_paths(ctx))) { + SSLError("invalid CA Certificate file or CA Certificate path"); + goto fail; + } + } + if (params->clientCertLevel != 0) { if (params->serverCACertFilename != NULL && params->serverCACertPath != NULL) {