On Wed, Aug 05, 2020 at 11:42:15AM +0200, William Dauchy wrote:
> Hi,
>
> Here is a patch to add a new fetcher for cert chain.
> It follows discussion after thread
> https://www.mail-archive.com/[email protected]/msg35607.html
>
> It currently does not support session reuse, but I was looking for
> inputs about it, whether I could make use of `reused_sess` objects in
> haproxy, and in which way. Indeed, as pointed by Emeric in
> https://www.mail-archive.com/[email protected]/msg37380.html
> `SSL_get_peer_cert_chain` returns NULL in case of resumed session.
>
I don't know if this is possible to fix it, but I think must of the SSL fetches
have
the problem.
Your patches look good, my only concern is the alloc_trash_chunk()
return value which is not tested, otherwise I'm okay to merge them!
> + smp_trash = get_trash_chunk();
> + tmp_trash = alloc_trash_chunk();
> + for (i = 0; i < num_certs; i++) {
> + crt = sk_X509_value(certs, i);
> + if (ssl_sock_crt2der(crt, tmp_trash) <= 0)
> + goto out;
> + chunk_cat(smp_trash, tmp_trash);
> + }
--
William Lallemand