[jira] [Work logged] (TS-4619) intermediate certificate chain loading can miss certificates

Fri, 12 Aug 2016 06:30:34 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-4619?focusedWorklogId=26355&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-26355
 ]

ASF GitHub Bot logged work on TS-4619:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Aug/16 13:29
            Start Date: 12/Aug/16 13:29
    Worklog Time Spent: 10m 
      Work Description: Github user shinrich commented on the issue:

    https://github.com/apache/trafficserver/pull/853
  
    The add1 version increments the reference count of the certificate, The 
add0 version doesn't, so it effectively takes ownership of the reference you 
pass in.  From the man page
    
    "All these functions are implemented as macros. Those containing a 1 
increment the reference count of the supplied certificate or chain so it must 
be freed at some point after the operation. Those containing a 0 do not 
increment reference counts and the supplied certificate or chain MUST NOT be 
freed after the operation."


Issue Time Tracking
-------------------

    Worklog Id:     (was: 26355)
    Time Spent: 50m  (was: 40m)

> intermediate certificate chain loading can miss certificates
> ------------------------------------------------------------
>
>                 Key: TS-4619
>                 URL: https://issues.apache.org/jira/browse/TS-4619
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: James Peach
>            Assignee: Susan Hinrichs
>             Fix For: 7.0.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> When loading intermediate SSL certificates, the original code used 
> {{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the 
> file.
> The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509 
> *}}, so it only ends up loading the first intermediate rather than all of 
> them.
> This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do 
> here is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and 
> inside {{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}} 
> if it is available.
> Also take a look at the place where the server certificate is loaded. This is 
> also allowed to be a bundle, so we can call 
> {{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication, 
> though at this point we already have a {{BIO}} in hand that we would need to 
> use.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to