------------------------------------------------------------ revno: 13739 revision-id: squid3@treenet.co.nz-20150124045339-93hdn1m1554zjhb2 parent: squid3@treenet.co.nz-20150122140141-j9smchi44865t57t author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Fri 2015-01-23 20:53:39 -0800 message: Add missing root CAs when validating chains that passed internal checks. When internal checks found no certificate errors, Squid does not include root CA certificate in certificates chain sent to the certificate validator. Squid just sent the certificates chain sent by the SSL server. This patch stores the full certificates list built by OpenSSL while validating the SSL server certificates chain, even if no certificate error found and sends this list to certificate validator. This is a Measurement Factory project ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150124045339-93hdn1m1554zjhb2 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 07215848d4270615f08f8f78552f54b35cdf464f # timestamp: 2015-01-24 05:01:21 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150122140141-\ # j9smchi44865t57t # # Begin patch === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2015-01-22 14:00:04 +0000 +++ src/ssl/support.cc 2015-01-24 04:53:39 +0000 @@ -312,16 +312,19 @@ // pass them to certficate validator for more processing else if (Ssl::TheConfig.ssl_crt_validator) { ok = 1; - // Check if we have stored certificates chain. Store if not. - if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { - STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); - if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) - sk_X509_pop_free(certStack, X509_free); - } } } } + if (Ssl::TheConfig.ssl_crt_validator) { + // Check if we have stored certificates chain. Store if not. + if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) { + STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx); + if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack)) + sk_X509_pop_free(certStack, X509_free); + } + } + if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { // Find the broken certificate. It may be intermediate.