46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From aa81834bc3ff47aa5cc66b6763678d3cf47a3d54 Mon Sep 17 00:00:00 2001
|
|
From: Glenn Strauss <gstrauss@gluelogic.com>
|
|
Date: Fri, 12 Mar 2021 20:03:38 -0500
|
|
Subject: [PATCH] [mod_openssl] skip cert chain build if self-issued
|
|
|
|
If cert is self-issued, then do not attempt to build certificate chain.
|
|
|
|
(Attempting to build certificate chain when chain is not provided, but
|
|
ssl.ca-file is specified, is provided as backward compatible behavior
|
|
from lighttpd versions prior to lighttpd 1.4.56)
|
|
|
|
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
|
|
---
|
|
src/mod_openssl.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
--- a/src/mod_openssl.c
|
|
+++ b/src/mod_openssl.c
|
|
@@ -103,6 +103,7 @@ typedef struct {
|
|
time_t ssl_stapling_loadts;
|
|
time_t ssl_stapling_nextts;
|
|
char must_staple;
|
|
+ char self_issued;
|
|
} plugin_cert;
|
|
|
|
typedef struct {
|
|
@@ -1081,7 +1082,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg
|
|
#if !defined(BORINGSSL_API_VERSION) \
|
|
&& !defined(LIBRESSL_VERSION_NUMBER)
|
|
/* (missing SSL_set1_chain_cert_store() and SSL_build_cert_chain()) */
|
|
- else if (hctx->conf.ssl_ca_file) {
|
|
+ else if (hctx->conf.ssl_ca_file && !pc->self_issued) {
|
|
/* preserve legacy behavior whereby openssl will reuse CAs trusted for
|
|
* certificate verification (set by SSL_CTX_load_verify_locations() in
|
|
* SSL_CTX) in order to build certificate chain for server certificate
|
|
@@ -1671,6 +1672,9 @@ network_openssl_load_pemfile (server *sr
|
|
#else
|
|
pc->must_staple = 0;
|
|
#endif
|
|
+ pc->self_issued =
|
|
+ (0 == X509_NAME_cmp(X509_get_subject_name(ssl_pemfile_x509),
|
|
+ X509_get_issuer_name(ssl_pemfile_x509)));
|
|
|
|
if (!buffer_string_is_empty(pc->ssl_stapling_file)) {
|
|
#ifndef OPENSSL_NO_OCSP
|