Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-4619

Intermediate certificate chain loading can miss certificates

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.0.0
    • Component/s: SSL
    • Labels:
      None

      Description

      When loading intermediate SSL certificates, the original code used SSL_CTX_add_extra_chain_cert_file which adds all the certificates in the file.

      The new code uses SSL_CTX_add0_chain_cert and passes it a single X509 *, so it only ends up loading the first intermediate rather than all of them.

      This code occurs in 3 places with ugly #ifdefs. The right thing to do here is to call SSL_CTX_add_extra_chain_cert_file in every place and inside SSL_CTX_add_extra_chain_cert_file use SSL_CTX_add0_chain_cert if it is available.

      Also take a look at the place where the server certificate is loaded. This is also allowed to be a bundle, so we can call SSL_CTX_add_extra_chain_cert_file again to avoid the code duplication, though at this point we already have a BIO in hand that we would need to use.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shinrich Susan Hinrichs
                Reporter:
                jamespeach James Peach
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h