Skip to content

Commit 1123da3

Browse files
renecannaorenecannao
authored
Merge pull request #4904 from sysown/v3.0-4877
Fix certificate chain send during SSL handshake - Closes #4877
2 parents dd58ea0 + f206e1b commit 1123da3

File tree

1 file changed

+7
-25
lines changed

1 file changed

+7
-25
lines changed

src/proxy_tls.cpp

+7-25
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,7 @@ X509 * proxy_read_x509(const char *filen, bool bootstrap, std::string& msg) {
215215
}
216216

217217
// return 0 un success
218-
int ssl_mkit(X509 **x509ca, X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days, bool bootstrap, std::string& msg) {
218+
int ssl_mkit(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days, bool bootstrap, std::string& msg) {
219219
X509 *x1;
220220
X509 *x2;
221221
EVP_PKEY *pk;
@@ -332,23 +332,18 @@ int ssl_mkit(X509 **x509ca, X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial
332332
// during bootstrap we just call the reads
333333
// if the read fails during bootstrap, proxysql immediately exists
334334
pk = proxy_key_read(ssl_key_fp, bootstrap, msg);
335-
x1 = proxy_read_x509(ssl_ca_fp, bootstrap, msg);
336335
x2 = proxy_read_x509(ssl_cert_fp, bootstrap, msg);
337336
} else {
338337
pk = proxy_key_read(ssl_key_fp, bootstrap, msg);
339338
if (pk) {
340-
x1 = proxy_read_x509(ssl_ca_fp, bootstrap, msg);
341-
if (x1) {
342-
x2 = proxy_read_x509(ssl_cert_fp, bootstrap, msg);
343-
}
339+
x2 = proxy_read_x509(ssl_cert_fp, bootstrap, msg);
344340
}
345341
// note that this is only relevant during PROXYSQL RELOAD TLS
346-
if (pk == NULL || x1 == NULL || x2 == NULL) {
342+
if (pk == NULL || x2 == NULL) {
347343
return 1;
348344
}
349345
}
350346
}
351-
*x509ca = x1;
352347
*x509p = x2;
353348
*pkeyp = pk;
354349

@@ -377,7 +372,6 @@ int ssl_mkit(X509 **x509ca, X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial
377372
int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
378373
BIO *bio_err;
379374
X509 *x509 = NULL;
380-
X509 *x509ca = NULL;
381375
EVP_PKEY *pkey = NULL;
382376

383377
int ret = 0;
@@ -386,7 +380,7 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
386380

387381
if (bootstrap == true) {
388382
// this is legacy code, when keys are loaded only during bootstrap
389-
if (ssl_mkit(&x509ca, &x509, &pkey, 2048, 0, 730, true, msg) != 0) {
383+
if (ssl_mkit(&x509, &pkey, 2048, 0, 730, true, msg) != 0) {
390384
proxy_error("Unable to initialize SSL. Shutting down...\n");
391385
exit(EXIT_SUCCESS); // we exit gracefully to not be restarted
392386
}
@@ -396,11 +390,6 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
396390
proxy_error("Unable to use SSL certificate. Shutting down...\n");
397391
exit(EXIT_SUCCESS); // we exit gracefully to not be restarted
398392
}
399-
if ( SSL_CTX_add_extra_chain_cert(GloVars.global.ssl_ctx, x509ca) <= 0 ) {
400-
ERR_print_errors_fp(stderr);
401-
proxy_error("Unable to use SSL CA chain. Shutting down...\n");
402-
exit(EXIT_SUCCESS); // we exit gracefully to not be restarted
403-
}
404393
if ( SSL_CTX_use_PrivateKey(GloVars.global.ssl_ctx, pkey) <= 0 ) {
405394
ERR_print_errors_fp(stderr);
406395
proxy_error("Unable to use SSL key. Shutting down...\n");
@@ -415,7 +404,7 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
415404

416405
// We set the locations for the certificates to be used for
417406
// verifications purposes.
418-
if (!SSL_CTX_load_verify_locations(GloVars.global.ssl_ctx, ssl_ca_fp, ssl_ca_fp)) {
407+
if (!SSL_CTX_load_verify_locations(GloVars.global.ssl_ctx, ssl_ca_fp, GloVars.datadir)) {
419408
proxy_error("Unable to load CA certificates location for verification. Shutting down\n");
420409
}
421410

@@ -429,12 +418,11 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
429418
} else {
430419
// here we use global.tmp_ssl_ctx instead of global.ssl_ctx
431420
// because we will try to swap at the end
432-
if (ssl_mkit(&x509ca, &x509, &pkey, 2048, 0, 730, false, msg) == 0) { // 0 on success
421+
if (ssl_mkit(&x509, &pkey, 2048, 0, 730, false, msg) == 0) { // 0 on success
433422
if (SSL_CTX_use_certificate(GloVars.global.tmp_ssl_ctx, x509) == 1) { // 1 on success
434-
if (SSL_CTX_add_extra_chain_cert(GloVars.global.tmp_ssl_ctx, x509ca) == 1) { // 1 on success
435423
if (SSL_CTX_use_PrivateKey(GloVars.global.tmp_ssl_ctx, pkey) == 1) { // 1 on success
436424
if (SSL_CTX_check_private_key(GloVars.global.tmp_ssl_ctx) == 1) { // 1 on success
437-
if (SSL_CTX_load_verify_locations(GloVars.global.tmp_ssl_ctx, ssl_ca_fp, ssl_ca_fp) == 1) { // 1 on success
425+
if (SSL_CTX_load_verify_locations(GloVars.global.tmp_ssl_ctx, ssl_ca_fp, GloVars.datadir) == 1) { // 1 on success
438426

439427
// take the mutex
440428
std::lock_guard<std::mutex> lock(GloVars.global.ssl_mutex);
@@ -463,12 +451,6 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
463451
msg = "Unable to use SSL key";
464452
ret = 1;
465453
}
466-
} else {
467-
ERR_print_errors_fp(stderr);
468-
proxy_error("Unable to use SSL CA chain\n");
469-
msg = "Unable to use SSL CA chain";
470-
ret = 1;
471-
}
472454
} else {
473455
ERR_print_errors_fp(stderr);
474456
proxy_error("Unable to use SSL certificate\n");

0 commit comments

Comments
 (0)