From 3fe73cd3c6c27098a0ec4f820fc6e9c6c07b8eef Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 6 Apr 2021 11:27:46 -0700 Subject: [PATCH 1/3] pass CA certificates to SSLCtx when provided --- src/platform/tls_openssl.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index f92dc551b1..6e63bae3a2 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -1154,11 +1154,16 @@ CxPlatTlsSecConfigCreate( goto Exit; } - STACK_OF(X509) *Ca = NULL; + STACK_OF(X509) *CaCertificates = NULL; Ret = - PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &Ca); - if (Ca) { - sk_X509_pop_free(Ca, X509_free); // no handling for custom certificate chains yet. + PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &CaCertificates); + if (CaCertificates) { + X509* CaCert; + while ((CaCert = sk_X509_pop(CaCertificates))) + { + // This transfers ownership to SSLCtx and CaCert does not need to be freed. + SSL_CTX_add_extra_chain_cert(SecurityConfig->SSLCtx, CaCert); + } } if (Pkcs12) { PKCS12_free(Pkcs12); From cf2264698634a703a0808628c33fd0f61fede19b Mon Sep 17 00:00:00 2001 From: Nick Banks Date: Tue, 6 Apr 2021 12:01:19 -0700 Subject: [PATCH 2/3] Apply suggestions from code review --- src/platform/tls_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 6e63bae3a2..2e82c5bdd2 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -1159,9 +1159,11 @@ CxPlatTlsSecConfigCreate( PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &CaCertificates); if (CaCertificates) { X509* CaCert; - while ((CaCert = sk_X509_pop(CaCertificates))) + while ((CaCert = sk_X509_pop(CaCertificates)) != NULL) { + // // This transfers ownership to SSLCtx and CaCert does not need to be freed. + // SSL_CTX_add_extra_chain_cert(SecurityConfig->SSLCtx, CaCert); } } From 0b455d34422f88c8dde383fe7443c9207fa1a309 Mon Sep 17 00:00:00 2001 From: Nick Banks Date: Tue, 6 Apr 2021 12:02:13 -0700 Subject: [PATCH 3/3] Update src/platform/tls_openssl.c --- src/platform/tls_openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 2e82c5bdd2..02bf59b35d 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -1159,8 +1159,7 @@ CxPlatTlsSecConfigCreate( PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &CaCertificates); if (CaCertificates) { X509* CaCert; - while ((CaCert = sk_X509_pop(CaCertificates)) != NULL) - { + while ((CaCert = sk_X509_pop(CaCertificates)) != NULL) { // // This transfers ownership to SSLCtx and CaCert does not need to be freed. //