rpms / squid

Clone
Source Code
GIT

Files

  1.   34391115ad4f08b47b547688724e4e24cae1cd98
  2.   SOURCES
  3.   squid-3.3.8-incorrect-ssl.patch
Blob Blame History Raw 
diff -Naurp squid-3.3.8.orig/src/client_side.cc squid-3.3.8/src/client_side.cc
--- squid-3.3.8.orig/src/client_side.cc	2015-03-26 12:46:28.000000000 +0100
+++ squid-3.3.8/src/client_side.cc	2015-03-26 11:11:17.000000000 +0100
@@ -3859,8 +3859,18 @@ ConnStateData::getSslContextDone(SSL_CTX
     // Try to add generated ssl context to storage.
     if (port->generateHostCertificates && isNew) {
 
-        if (signAlgorithm == Ssl::algSignTrusted)
+        if (signAlgorithm == Ssl::algSignTrusted) {
+            // Add signing certificate to the certificates chain
+            X509 *cert = port->signingCert.get();
+            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+                // increase the certificate lock
+                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            } else {
+                const int ssl_error = ERR_get_error();
+                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+            }
             Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
+        }
         //else it is self-signed or untrusted do not attrach any certificate
 
         Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));
diff -Naurp squid-3.3.8.orig/src/ssl/support.cc squid-3.3.8/src/ssl/support.cc
--- squid-3.3.8.orig/src/ssl/support.cc	2013-07-13 15:25:14.000000000 +0200
+++ squid-3.3.8/src/ssl/support.cc	2015-03-26 12:44:15.104570937 +0100
@@ -1488,11 +1488,7 @@ static X509 * readSslX509CertificatesCha
         if (X509_check_issued(certificate, certificate) == X509_V_OK)
             debugs(83, 5, "Certificate is self-signed, will not be chained");
         else {
-            if (sk_X509_push(chain, certificate))
-                CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
-            else
-                debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
-            // and add to the chain any certificate loaded from the file
+            // and add to the chain any other certificate exist in the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation