James Peach created TS-4619:
-------------------------------
Summary: intermediate certificate chain loading can miss
certificates
Key: TS-4619
URL: https://issues.apache.org/jira/browse/TS-4619
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: James Peach
When loading intermediate SSL certificates, the original code used
{{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the
file.
The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509
*}}, so it only ends up loading the first intermediate rather than all of them.
This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do here
is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and inside
{{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}} if it is
available.
Also take a look at the place where the server certificate is loaded. This is
also allowed to be a bundle, so we can call
{{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication,
though at this point we already have a {{BIO}} in hand that we would need to
use.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
