Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix loading of certificate chains with OpenSSL 1.0.2

Browse Source 
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain.  When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.

Issue:		#79
pull/13/head
Daniel Roethlisberger 9 years ago
parent 3231c9c031
commit a027fb68cd
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File

1
NEWS.md
Unescape Escape View File

@ -1,6 +1,7 @@
### SSLsplit develop
- Fix loading of certificate chains with OpenSSL 1.0.2 (issue #79).
- Removed the non-standard word "unmodified" from the 2-clause BSD license.
- Add options -w and -W to write generated leaf key, original and forged
certificates to disk (issue #67 by @psychomario).

21
ssl.c
Unescape Escape View File

@ -909,11 +909,9 @@ errout:
* Returns -1 on error.
* Not thread-safe.
*
* By accessing (SSLCTX*)->extra_certs directly, we depend on OpenSSL
* internals in this function.
*
* XXX try to reimplement this with exposed BIO/ASN.1 functionality
* in order to get rid of the ->extra_certs direct access.
* By accessing (SSLCTX*)->extra_certs directly on OpenSSL before 1.0.2, we
* depend on OpenSSL internals in this function. OpenSSL 1.0.2 introduced
* the SSL_get0_chain_certs() API for accessing the certificate chain.
*/
int
ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
@ -921,6 +919,7 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
X509 *tmpcrt;
SSL_CTX *tmpctx;
SSL *tmpssl;
STACK_OF(X509) *tmpchain;
int rv;
if (ssl_init() == -1)
@ -947,6 +946,14 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
goto leave3;
}
#if (OPENSSL_VERSION_NUMBER < 0x1000200fL)
tmpchain = tmpctx->extra_certs;
#else /* OpenSSL >= 1.0.2 */
rv = SSL_CTX_get0_chain_certs(tmpctx, &tmpchain);
if (rv != 1)
goto leave3;
#endif /* OpenSSL >= 1.0.2 */
if (crt) {
*crt = tmpcrt;
} else {
@ -954,8 +961,8 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
}
ssl_x509_refcount_inc(tmpcrt);
for (int i = 0; i < sk_X509_num(tmpctx->extra_certs); i++) {
tmpcrt = sk_X509_value(tmpctx->extra_certs, i);
for (int i = 0; i < sk_X509_num(tmpchain); i++) {
tmpcrt = sk_X509_value(tmpchain, i);
ssl_x509_refcount_inc(tmpcrt);
sk_X509_push(*chain, tmpcrt);
}

Write Preview
Loading…
Cancel
Save