From c0e4f862ad25dd99e98e1bda2b2a8ac406461080 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sun, 5 Jan 2014 07:15:59 +0000 Subject: [PATCH] Remove per-certificate chain handling code (obsoleted by https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1555463 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_init.c | 76 ----------------------------------- 1 file changed, 76 deletions(-) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ddfdfb5c13..daf4ea161f 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -911,34 +911,6 @@ static apr_status_t ssl_init_server_certs(server_rec *s, ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); return APR_EGENERAL; } - -#if defined(SSL_CTX_set1_chain) - /* - * OpenSSL 1.0.2 and later supports certificate-specific - * chains with intermediate CA certificates. - * SSL_CTX_use_certificate_chain_file currently (Dec 2013) - * loads them to ctx->extra_certs, however, which possibly - * overwrites a previously configured chain. - * If more than one SSLCertificateFile is configured for - * this server_rec, we manually "convert" the chain - * to a per-certificate setting. - */ - if (mctx->pks->cert_files->nelts > 1) { - STACK_OF(X509) *extra_certs; - if ((SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, - &extra_certs) > 0) && - (sk_X509_num(extra_certs) > 0) && - (SSL_CTX_set1_chain(mctx->ssl_ctx, extra_certs) > 0)) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - APLOGNO(02563) - "Per-certificate chain for %s configured " - "(%d certificate[s])", - key_id, sk_X509_num(extra_certs)); - /* clear the "global" chain for this SSL_CTX */ - SSL_CTX_clear_extra_chain_certs(mctx->ssl_ctx); - } - } -#endif } /* and second, the private key */ @@ -1325,54 +1297,6 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, "\"SSLOpenSSLConfCmd %s %s\" applied to %s", param->name, param->value, sc->vhost_id); } - if (!strcasecmp(param->name, "Certificate")) { - /* - * Special case: a certificate has been loaded via - * SSLOpenSSLConfCmd. Two potential tweaks are needed - * (similar to what is done in ssl_init_server_certs, - * see the comments there for the rationale): - * a) "fixing up" the per-certificate chain - * b) configure OCSP stapling for the cert - */ -#if defined(SSL_CTX_set1_chain) - STACK_OF(X509) *extra_certs; - if ((SSL_CTX_get_extra_chain_certs(sc->server->ssl_ctx, - &extra_certs) > 0) && - (sk_X509_num(extra_certs) > 0) && - (SSL_CTX_set1_chain(sc->server->ssl_ctx, extra_certs) > 0)) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02570) - "Per-certificate chain for certificate " - "loaded from %s for %s configured " - "(%d certificate[s])", - param->value, sc->vhost_id, - sk_X509_num(extra_certs)); - /* clear the "global" chain for this SSL_CTX */ - SSL_CTX_clear_extra_chain_certs(sc->server->ssl_ctx); - } -#endif -#ifdef HAVE_OCSP_STAPLING - if (sc->server->stapling_enabled == TRUE) { - X509 *cert; -#ifndef HAVE_SSL_CONF_CMD - SSL *ssl; - if (!(ssl = SSL_new(sc->server->ssl_ctx)) || - !(cert = SSL_get_certificate(ssl)) || -#else - if (!(cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx)) || -#endif - !ssl_stapling_init_cert(s, sc->server, cert)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571) - "Unable to configure certificate loaded " - "from %s for %s for stapling", - param->value, sc->vhost_id); - } -#ifndef HAVE_SSL_CONF_CMD - if (ssl) - SSL_free(ssl); -#endif - } -#endif - } } if (SSL_CONF_CTX_finish(cctx) == 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) -- 2.40.0