------------------------------------------------------------ revno: 12534 revision-id: squid3@treenet.co.nz-20130424154624-k1z77au4ozoeutfq parent: squid3@treenet.co.nz-20130424154326-cob1pc7eguux78b2 fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3816 author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.3 timestamp: Wed 2013-04-24 09:46:24 -0600 message: Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes The SSL_get_certificate implementation in OpenSSL 1.0.1d and 1.0.1e releases, will crash if called before the certificate sent to the client. This patch add a hack when one of the problematic OpenSSL versions used to retrieve the certificate directly from SSL_CTX object, instead of creating a temporary SSL object, and call SSL_get_certificate. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130424154624-k1z77au4ozoeutfq # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: d99bdd463256ab57d1ff85692ce26bf6a1c7ef3e # timestamp: 2013-04-24 15:47:28 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20130424154326-\ # cob1pc7eguux78b2 # # Begin patch === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2013-04-18 05:33:28 +0000 +++ src/ssl/support.cc 2013-04-24 15:46:24 +0000 @@ -1411,9 +1411,18 @@ bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) { + // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e + // Try to retrieve certificate directly from SSL_CTX object +#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL + X509 ***pCert = (X509 ***)sslContext->cert; + X509 * cert = pCert && *pCert ? **pCert : NULL; +#else // Temporary ssl for getting X509 certificate from SSL_CTX. Ssl::SSL_Pointer ssl(SSL_new(sslContext)); X509 * cert = SSL_get_certificate(ssl.get()); +#endif + if (!cert) + return false; ASN1_TIME * time_notBefore = X509_get_notBefore(cert); ASN1_TIME * time_notAfter = X509_get_notAfter(cert); bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);