You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

45 lines
1.7 KiB

  1. From aa81834bc3ff47aa5cc66b6763678d3cf47a3d54 Mon Sep 17 00:00:00 2001
  2. From: Glenn Strauss <gstrauss@gluelogic.com>
  3. Date: Fri, 12 Mar 2021 20:03:38 -0500
  4. Subject: [PATCH] [mod_openssl] skip cert chain build if self-issued
  5. If cert is self-issued, then do not attempt to build certificate chain.
  6. (Attempting to build certificate chain when chain is not provided, but
  7. ssl.ca-file is specified, is provided as backward compatible behavior
  8. from lighttpd versions prior to lighttpd 1.4.56)
  9. Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
  10. ---
  11. src/mod_openssl.c | 6 +++++-
  12. 1 file changed, 5 insertions(+), 1 deletion(-)
  13. --- a/src/mod_openssl.c
  14. +++ b/src/mod_openssl.c
  15. @@ -103,6 +103,7 @@ typedef struct {
  16. time_t ssl_stapling_loadts;
  17. time_t ssl_stapling_nextts;
  18. char must_staple;
  19. + char self_issued;
  20. } plugin_cert;
  21. typedef struct {
  22. @@ -1081,7 +1082,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg
  23. #if !defined(BORINGSSL_API_VERSION) \
  24. && !defined(LIBRESSL_VERSION_NUMBER)
  25. /* (missing SSL_set1_chain_cert_store() and SSL_build_cert_chain()) */
  26. - else if (hctx->conf.ssl_ca_file) {
  27. + else if (hctx->conf.ssl_ca_file && !pc->self_issued) {
  28. /* preserve legacy behavior whereby openssl will reuse CAs trusted for
  29. * certificate verification (set by SSL_CTX_load_verify_locations() in
  30. * SSL_CTX) in order to build certificate chain for server certificate
  31. @@ -1671,6 +1672,9 @@ network_openssl_load_pemfile (server *sr
  32. #else
  33. pc->must_staple = 0;
  34. #endif
  35. + pc->self_issued =
  36. + (0 == X509_NAME_cmp(X509_get_subject_name(ssl_pemfile_x509),
  37. + X509_get_issuer_name(ssl_pemfile_x509)));
  38. if (!buffer_string_is_empty(pc->ssl_stapling_file)) {
  39. #ifndef OPENSSL_NO_OCSP