------------------------------------------------------------ revno: 12623 revision-id: squid3@treenet.co.nz-20130911010503-sd3jkptbd24giu85 parent: squid3@treenet.co.nz-20130911010345-l9hvcbdaa3ih6s0y fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3849 author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.3 timestamp: Tue 2013-09-10 19:05:03 -0600 message: Bug 3849: Duplicate certificate sent when using https_port The certificate file given with the "cert=" option it may contain a list of certificates to be chained to the SSL client, for example intermediate certificates. The bug caused because in the certificates chain we are storing also the certificate of the port. This is works well for SSL-bump because squid generates a certificate which uses the port certificate as CA certificate. But in the case of https_port without bumping the port certificate is sent twice, one as SSL server certificate and one as chained certificate. This patch try to chain port certificate only when the sslbump is used. This is a Measurement Factory project ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20130911010503-sd3jkptbd24giu85 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 61c2b94431a8d045d23364c42cd240448e4c365a # timestamp: 2013-09-11 01:08:57 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20130911010345-\ # l9hvcbdaa3ih6s0y # # Begin patch === modified file 'src/client_side.cc' --- src/client_side.cc 2013-07-26 12:34:37 +0000 +++ src/client_side.cc 2013-09-11 01:05:03 +0000 @@ -3853,8 +3853,18 @@ // Try to add generated ssl context to storage. if (port->generateHostCertificates && isNew) { - if (signAlgorithm == Ssl::algSignTrusted) + if (signAlgorithm == Ssl::algSignTrusted) { + // Add signing certificate to the certificates chain + X509 *cert = port->signingCert.get(); + if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) { + // increase the certificate lock + CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509); + } else { + const int ssl_error = ERR_get_error(); + debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL)); + } Ssl::addChainToSslContext(sslContext, port->certsToChain.get()); + } //else it is self-signed or untrusted do not attrach any certificate Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s)); === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2013-09-10 07:22:44 +0000 +++ src/ssl/support.cc 2013-09-11 01:05:03 +0000 @@ -1531,11 +1531,7 @@ if (X509_check_issued(certificate, certificate) == X509_V_OK) debugs(83, 5, "Certificate is self-signed, will not be chained"); else { - if (sk_X509_push(chain, certificate)) - CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509); - else - debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain"); - // and add to the chain any certificate loaded from the file + // and add to the chain any other certificate exist in the file while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) { if (!sk_X509_push(chain, ca)) debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");