Date: Sun, 12 May 2019 23:40:54 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 237757] www/nginx-devel: OCSP stapling broken with security/libressl 2.9.1 Message-ID: <bug-237757-7788-IX1PACjf84@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-237757-7788@https.bugs.freebsd.org/bugzilla/> References: <bug-237757-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D237757 Elias Ohm <info@eliasohm.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |info@eliasohm.de --- Comment #4 from Elias Ohm <info@eliasohm.de> --- Created attachment 204342 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204342&action= =3Dedit fix/unify access to SSL_CTX certificate chains for newer OpenSSL versions (1.0.2+) the chain is stored in the dedicated ch= ain field (SSL_CTX_set0_chain_certs) belonging to a certificate while in older versions the extra_chain had to be used (SSL_CTX_add_extra_chain_cert) whic= h is always global to the context. reading the chain is still implemented with SSL_CTX_get_extra_chain_certs f= or newer versions (if not directly from staple->ssl_ctx->extra_certs in older versions). however, this works for OpenSSL where the SSL_CTX_get_extra_chain_certs fal= ls back to read chain_certs when no extra_certs are available but breaks for s= ome other implementations where SSL_CTX_get_extra_chain_certs is implemented as SSL_CTX_get_extra_chain_certs_only in OpenSSL is implemented. in addition t= his is inconsistent use of the functions and the functionality of trying etxra certs and falling back to certifiactes chain is not needed here. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-237757-7788-IX1PACjf84>