| From aa81834bc3ff47aa5cc66b6763678d3cf47a3d54 Mon Sep 17 00:00:00 2001 |
| From: Glenn Strauss <gstrauss@gluelogic.com> |
| Date: Fri, 12 Mar 2021 20:03:38 -0500 |
| Subject: [PATCH] [mod_openssl] skip cert chain build if self-issued |
| |
| If cert is self-issued, then do not attempt to build certificate chain. |
| |
| (Attempting to build certificate chain when chain is not provided, but |
| ssl.ca-file is specified, is provided as backward compatible behavior |
| from lighttpd versions prior to lighttpd 1.4.56) |
| |
| Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> |
| --- |
| src/mod_openssl.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/src/mod_openssl.c |
| +++ b/src/mod_openssl.c |
| @@ -103,6 +103,7 @@ typedef struct { |
| time_t ssl_stapling_loadts; |
| time_t ssl_stapling_nextts; |
| char must_staple; |
| + char self_issued; |
| } plugin_cert; |
| |
| typedef struct { |
| @@ -1081,7 +1082,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg |
| #if !defined(BORINGSSL_API_VERSION) \ |
| && !defined(LIBRESSL_VERSION_NUMBER) |
| /* (missing SSL_set1_chain_cert_store() and SSL_build_cert_chain()) */ |
| - else if (hctx->conf.ssl_ca_file) { |
| + else if (hctx->conf.ssl_ca_file && !pc->self_issued) { |
| /* preserve legacy behavior whereby openssl will reuse CAs trusted for |
| * certificate verification (set by SSL_CTX_load_verify_locations() in |
| * SSL_CTX) in order to build certificate chain for server certificate |
| @@ -1671,6 +1672,9 @@ network_openssl_load_pemfile (server *sr |
| #else |
| pc->must_staple = 0; |
| #endif |
| + pc->self_issued = |
| + (0 == X509_NAME_cmp(X509_get_subject_name(ssl_pemfile_x509), |
| + X509_get_issuer_name(ssl_pemfile_x509))); |
| |
| if (!buffer_string_is_empty(pc->ssl_stapling_file)) { |
| #ifndef OPENSSL_NO_OCSP |