[squid-dev] SSL Bump Certificate Chain

[Dave Lewthwaite]

Hi,

I have worked out a simple fix for this bug http://bugs.squid-cache.org/show_bug.cgi?id=4337

To test I’ve copied the code which adds the certificate to the chain from ConnStateData::getSslContextDone to ConnStateData::getSslContextStart inside the sslBump decision (if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)))

Addition:

            SSL_CTX * ctx = SSL_get_SSL_CTX(ssl);
            X509 *cert = port->signingCert.get();
            if (SSL_CTX_add_extra_chain_cert(ctx, cert)) {
                // increase the certificate lock
                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
            } else {
                const int ssl_error = ERR_get_error();
                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
            }
            Ssl::addChainToSslContext(ctx, port->certsToChain.get());

There will be a better way of this (definitely one that doesn’t involve duplication of code) but it at least pin-points the problem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160203/d4f685e2/attachment.html>