Bryan Call updated TS-4619:
    Summary: Intermediate certificate chain loading can miss certificates  
(was: intermediate certificate chain loading can miss certificates)

> Intermediate certificate chain loading can miss certificates
> ------------------------------------------------------------
>                 Key: TS-4619
>                 URL: https://issues.apache.org/jira/browse/TS-4619
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: James Peach
>            Assignee: Susan Hinrichs
>             Fix For: 7.0.0
>          Time Spent: 1h
>  Remaining Estimate: 0h
> When loading intermediate SSL certificates, the original code used 
> {{SSL_CTX_add_extra_chain_cert_file}} which adds all the certificates in the 
> file.
> The new code uses {{SSL_CTX_add0_chain_cert}} and passes it a single {{X509 
> *}}, so it only ends up loading the first intermediate rather than all of 
> them.
> This code occurs in 3 places with ugly {{#ifdefs}}. The right thing to do 
> here is to call {{SSL_CTX_add_extra_chain_cert_file}} in every place and 
> inside {{SSL_CTX_add_extra_chain_cert_file}} use {{SSL_CTX_add0_chain_cert}} 
> if it is available.
> Also take a look at the place where the server certificate is loaded. This is 
> also allowed to be a bundle, so we can call 
> {{SSL_CTX_add_extra_chain_cert_file}} again to avoid the code duplication, 
> though at this point we already have a {{BIO}} in hand that we would need to 
> use.

This message was sent by Atlassian JIRA

Reply via email to