[
https://issues.apache.org/jira/browse/TS-4619?focusedWorklogId=26341&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-26341
]
ASF GitHub Bot logged work on TS-4619:
--------------------------------------
Author: ASF GitHub Bot
Created on: 11/Aug/16 22:19
Start Date: 11/Aug/16 22:19
Worklog Time Spent: 10m
Work Description: GitHub user shinrich opened a pull request:
https://github.com/apache/trafficserver/pull/853
TS-4619: intermediate chain loading can miss certificates.
Made the changes @jpeach suggested in the bug. Tested with three deep
chains for rsa and ec (cert and two signers). Tested with both signers in the
ssl_ca_name files. Tested with all three certs in the ssl_cert_name file.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shinrich/trafficserver ts-4619
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/853.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #853
----
commit 0ea0f210d8e0cda1e58d807a9884f7ec81f25c75
Author: shinrich <[email protected]>
Date: 2016-08-11T22:16:17Z
TS-4619: intermediate chain loading can miss certificates.
----
Issue Time Tracking
-------------------
Worklog Id: (was: 26341)
Time Spent: 10m
Remaining Estimate: 0h
> intermediate certificate chain loading can miss certificates
> ------------------------------------------------------------
>
> Key: TS-4619
> URL: https://issues.apache.org/jira/browse/TS-4619
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Fix For: 7.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When loading intermediate SSL certificates, the original code used
> {{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the
> file.
> The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509
> *}}, so it only ends up loading the first intermediate rather than all of
> them.
> This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do
> here is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and
> inside {{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}}
> if it is available.
> Also take a look at the place where the server certificate is loaded. This is
> also allowed to be a bundle, so we can call
> {{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication,
> though at this point we already have a {{BIO}} in hand that we would need to
> use.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
