[Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1

Sun May 12 23:40:57 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237757

Elias Ohm <info at eliasohm.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |info at eliasohm.de

--- Comment #4 from Elias Ohm <info at eliasohm.de> ---
Created attachment 204342
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204342&action=edit
fix/unify access to SSL_CTX certificate chains

for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated chain
field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older
versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) which is
always global to the context.

reading the chain is still implemented with SSL_CTX_get_extra_chain_certs for
newer versions (if not directly from staple->ssl_ctx->extra_certs in older
versions).
however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs falls
back to read chain_certs when no extra_certs are available but breaks for some
other implementations where SSL_CTX_get_extra_chain_certs is implemented as
SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition this
is inconsistent use of the functions and the functionality of trying etxra
certs and falling back to certifiactes chain is not needed here.

-- 
You are receiving this mail because:
You are the assignee for the bug.