From 4be4c0cddc6edd87bd3f748e50cd60fd1497f012 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 30 Aug 2017 22:27:02 +0900 Subject: [PATCH] Revert "nghttpx: Verify OCSP response using trusted CA certificates" This reverts commit 59c78d58092dd61380a2907a4798b45d5d47f5a1. --- src/shrpx.cc | 13 +++++-------- src/shrpx_tls.cc | 21 +++------------------ 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index f8a8f364..ff92e1af 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2071,14 +2071,11 @@ SSL/TLS: Don't verify backend server's certificate if TLS is enabled for backend connections. --cacert= - Set path to trusted CA certificate file. It is used in - backend TLS connections to verify peer's certificate. - It is also used to verify OCSP response from the script - set by --fetch-ocsp-response-file. The file must be in - PEM format. It can contain multiple certificates. If - the linked OpenSSL is configured to load system wide - certificates, they are loaded at startup regardless of - this option. + Set path to trusted CA certificate file used in backend + TLS connections. The file must be in PEM format. It + can contain multiple certificates. If the linked + OpenSSL is configured to load system wide certificates, + they are loaded at startup regardless of this option. --private-key-passwd-file= Path to file that contains password for the server's private key. If none is given and the private key is diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 19899d83..43737b58 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -831,22 +831,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); - - if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) { - LOG(WARN) << "Could not load system trusted ca certificates: " - << ERR_error_string(ERR_get_error(), nullptr); - } - - if (!tlsconf.cacert.empty()) { - if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(), - nullptr) != 1) { - LOG(FATAL) << "Could not load trusted ca certificates from " - << tlsconf.cacert << ": " - << ERR_error_string(ERR_get_error(), nullptr); - DIE(); - } - } - if (!tlsconf.private_key_passwd.empty()) { SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config); @@ -1864,11 +1848,12 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, } auto bs_deleter = defer(OCSP_BASICRESP_free, bs); - auto store = SSL_CTX_get_cert_store(ssl_ctx); + auto store = X509_STORE_new(); + auto store_deleter = defer(X509_STORE_free, store); ERR_clear_error(); - rv = OCSP_basic_verify(bs, chain_certs, store, 0); + rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER); if (rv != 1) { LOG(ERROR) << "OCSP_basic_verify failed: "