[PATCH] fix/unify access to SSL_CTX certificate chains

eohm at eohm.net.eu.org eohm at eohm.net.eu.org
Mon May 13 06:16:13 UTC 2019 

 src/event/ngx_event_openssl_stapling.c |  10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)


# HG changeset patch
# User Elias Ohm <eohm at novomind.com>
# Date 1557697215 -7200
#      Sun May 12 23:40:15 2019 +0200
# Node ID 6c1d44aa7054fb130ece5432119d04971b586795
# Parent  16a1adadf43751f59257ba419f6bacd530dd19d3
fix/unify access to SSL_CTX certificate chains

for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is always global to the context.

reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions).
however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls back to read chain_certs when no extra_certs are available but breaks for some other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here.

diff -r 16a1adadf437 -r 6c1d44aa7054 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Wed Apr 24 16:38:56 2019 +0300
+++ b/src/event/ngx_event_openssl_stapling.c	Sun May 12 23:40:15 2019 +0200
@@ -298,7 +298,10 @@
     SSL_CTX_select_current_cert(ssl->ctx, cert);
 #endif
 
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+#ifdef SSL_CTX_get0_chain_certs
+    /* OpenSSL 1.0.2+ */
+    SSL_CTX_get0_chain_certs(ssl->ctx, &chain);
+#elif SSL_CTRL_GET_EXTRA_CHAIN_CERTS
     /* OpenSSL 1.0.1+ */
     SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
 #else
@@ -655,7 +658,10 @@
     SSL_CTX_select_current_cert(staple->ssl_ctx, ctx->cert);
 #endif
 
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+#ifdef SSL_CTX_get0_chain_certs
+    /* OpenSSL 1.0.2+ */
+    SSL_CTX_get0_chain_certs(staple->ssl_ctx, &chain);
+#elif SSL_CTRL_GET_EXTRA_CHAIN_CERTS
     /* OpenSSL 1.0.1+ */
     SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
 #else

More information about the nginx-devel mailing list