From: William Lallemand Date: Fri, 26 Sep 2025 07:22:55 +0000 (+0200) Subject: BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file X-Git-Tag: v3.0.12~6 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=refs%2Fheads%2Fnext;p=haproxy-3.0.git BUG/MEDIUM: ssl: ca-file directory mode must read every certificates of a file The httpclient is configured with @system-ca by default, which uses the directory returned by X509_get_default_cert_dir(). On debian/ubuntu systems, this directory contains multiple certificate files that are loaded successfully. However it seems that on other systems the files in this directory is the direct result of ca-certificates instead of its source. Meaning that you would only have a bundle file with every certificates in it. The loading was not done correctly in case of directory loading, and was only loading the first certificate of each file. This patch fixes the issue by using X509_STORE_load_locations() on each file from the scandir instead of trying to load it manually with BIO. Not that we can't use X509_STORE_load_locations with the `dir` argument, which would be simpler, because it uses X509_LOOKUP_hash_dir() which requires a directory in hash form. That wouldn't be suited for this use case. Must be backported in every stable branches. Fix issue #3137. (cherry picked from commit c52d69cc785c039c0b665a229350fff11cfeda13) Signed-off-by: Christopher Faulet (cherry picked from commit a96a1ef0a48a9b5b3883346bb21c79b95fa653eb) Signed-off-by: Christopher Faulet (cherry picked from commit 8c014f305e7fd6ad9123f38067262c457fbe488f) Signed-off-by: Christopher Faulet --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 5a6fc62..77e760f 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1405,8 +1405,6 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ for (i= 0; i < n; i++) { char *end; struct dirent *de = de_list[i]; - BIO *in = NULL; - X509 *ca = NULL;; ERR_clear_error(); @@ -1426,34 +1424,16 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ free(de); continue; } - in = BIO_new(BIO_s_file()); - if (in == NULL) - goto scandir_err; chunk_printf(&trash, "%s/%s", dir, de->d_name); - - if (BIO_read_filename(in, trash.area) == 0) - goto scandir_err; - - if (PEM_read_bio_X509_AUX(in, &ca, NULL, NULL) == NULL) + if (!X509_STORE_load_locations(store, trash.area, NULL)) goto scandir_err; - if (X509_STORE_add_cert(store, ca) == 0) { - /* only exits on error if the error is not about duplicate certificates */ - if (!(ERR_GET_REASON(ERR_get_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE)) { - goto scandir_err; - } - } - - X509_free(ca); - BIO_free(in); free(de); continue; scandir_err: e = ERR_get_error(); - X509_free(ca); - BIO_free(in); free(de); /* warn if it can load one of the files, but don't abort */ if (!shuterror)