Chained + unchained SSL cert patch

From: Travis Lansdell <tlansdell@dont-contact.us>
Date: Mon, 25 Jul 2005 18:04:24 -0500

There's an old thread on squid-users from 16 Dec 2003 with the subject
line "SSL gateway using chained certs?" that I wrote a patch for about
a year ago, but forgot to send it on to you guys. The original
problem was that people weren't able to use chained SSL certs within
Squid, but the problem was addressed through the patch available here:

http://devel.squid-cache.org/old_projects.html#ssl

The problem I had with the Squid-provided patch is that I couldn't use
both chained and regular SSL certificates simultaneously, so I made my
own patch (below) that allows for both types of certs to be used.
I did take a look at squid-2.5.STABLE10's source, and my patch is
still valid even though it's a year old (my original patch was from
squid-2.5.STABLE3). The patch is extremely simple, and has had no
deleterious affects on the reverse SSL proxy environment in which I
implemented it last summer, but I don't know Squid's patching policy
at all so perhaps this is too late. In any event, I updated the patch
to diff against squid-2.5.STABLE10, so do with it as you wish. I do
hope this was helpful.

-travis

==================
--- squid-2.5.STABLE10/src/ssl_support.c.ORIG 2003-12-11
01:53:11.000000000 -0600
+++ squid-2.5.STABLE10/src/ssl_support.c 2005-07-25 16:12:03.771748176 -0500
@@ -327,10 +327,12 @@
         }
     }
     debug(83, 1) ("Using certificate in %s\n", certfile);
- if (!SSL_CTX_use_certificate_file(sslContext, certfile,
SSL_FILETYPE_PEM)) {
- ssl_error = ERR_get_error();
- fatalf("Failed to acquire SSL certificate: %s\n",
- ERR_error_string(ssl_error, NULL));
+ if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
+ if (!SSL_CTX_use_certificate_file(sslContext, certfile, SSL_FILETYPE_PEM)) {
+ ssl_error = ERR_get_error();
+ fatalf("Failed to acquire SSL certificate: %s\n",
+ ERR_error_string(ssl_error, NULL));
+ }
     }
     debug(83, 1) ("Using private key in %s\n", keyfile);
     if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
==================
Received on Mon Jul 25 2005 - 19:56:18 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:04 MDT