Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix loading of certificate chains with OpenSSL 1.0.2

Browse Source 
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain.  When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.

Issue:		#79
pull/13/head
Daniel Roethlisberger 10 years ago
parent 3231c9c031
commit a027fb68cd
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File

1
NEWS.md
Unescape Escape View File

@ -1,6 +1,7 @@
### SSLsplit develop ### SSLsplit develop
- Fix loading of certificate chains with OpenSSL 1.0.2 (issue #79).
- Removed the non-standard word "unmodified" from the 2-clause BSD license. - Removed the non-standard word "unmodified" from the 2-clause BSD license.
- Add options -w and -W to write generated leaf key, original and forged - Add options -w and -W to write generated leaf key, original and forged
certificates to disk (issue #67 by @psychomario). certificates to disk (issue #67 by @psychomario).

21
ssl.c
Unescape Escape View File

@ -909,11 +909,9 @@ errout:
* Returns -1 on error. * Returns -1 on error.
* Not thread-safe. * Not thread-safe.
* *
* By accessing (SSLCTX*)->extra_certs directly, we depend on OpenSSL * By accessing (SSLCTX*)->extra_certs directly on OpenSSL before 1.0.2, we
* internals in this function. * depend on OpenSSL internals in this function. OpenSSL 1.0.2 introduced
* * the SSL_get0_chain_certs() API for accessing the certificate chain.
* XXX try to reimplement this with exposed BIO/ASN.1 functionality
* in order to get rid of the ->extra_certs direct access.
*/ */
int int
ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename) ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
@ -921,6 +919,7 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
X509 *tmpcrt; X509 *tmpcrt;
SSL_CTX *tmpctx; SSL_CTX *tmpctx;
SSL *tmpssl; SSL *tmpssl;
STACK_OF(X509) *tmpchain;
int rv; int rv;
if (ssl_init() == -1) if (ssl_init() == -1)
@ -947,6 +946,14 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
goto leave3; goto leave3;
} }
#if (OPENSSL_VERSION_NUMBER < 0x1000200fL)
tmpchain = tmpctx->extra_certs;
#else /* OpenSSL >= 1.0.2 */
rv = SSL_CTX_get0_chain_certs(tmpctx, &tmpchain);
if (rv != 1)
goto leave3;
#endif /* OpenSSL >= 1.0.2 */
if (crt) { if (crt) {
*crt = tmpcrt; *crt = tmpcrt;
} else { } else {
@ -954,8 +961,8 @@ ssl_x509chain_load(X509 **crt, STACK_OF(X509) **chain, const char *filename)
} }
ssl_x509_refcount_inc(tmpcrt); ssl_x509_refcount_inc(tmpcrt);
for (int i = 0; i < sk_X509_num(tmpctx->extra_certs); i++) { for (int i = 0; i < sk_X509_num(tmpchain); i++) {
tmpcrt = sk_X509_value(tmpctx->extra_certs, i); tmpcrt = sk_X509_value(tmpchain, i);
ssl_x509_refcount_inc(tmpcrt); ssl_x509_refcount_inc(tmpcrt);
sk_X509_push(*chain, tmpcrt); sk_X509_push(*chain, tmpcrt);
} }

Write Preview
Loading…
Cancel
Save