bughz/3proxy
1
0
Fork 0
mirror of https://github.com/3proxy/3proxy.git synced 2025-08-15 11:57:07 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed: ssl_server_cert doesn't read full certificate chain

Browse Source
This commit is contained in:
Vladimir Dubrovin 2025-08-10 14:36:00 +03:00
parent 2966836dfa
commit 724946a834
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/plugins/SSLPlugin/ssl_plugin.c
View File

@ -361,11 +361,13 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
return NULL;
}
err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
if ( err <= 0 ) {
*errSSL = getSSLErr();
SSL_CTX_free(ctx);
return NULL;
if(server_cert) {
err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
if ( err <= 0 ) {
*errSSL = getSSLErr();
SSL_CTX_free(ctx);
return NULL;
}
}
err = SSL_CTX_use_PrivateKey(ctx, server_key);
@ -379,8 +381,6 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
if(config->server_verify){
fprintf(stderr, "server verify\n");
fflush(stderr);
if(config->server_ca_file || config->server_ca_dir){
SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
}
@ -483,18 +483,17 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
}
if(serv){
if(!srvcert || !srvkey) return sc;
sc->server_cert = getCert(srvcert);
if(!sc->server_cert){
fprintf(stderr, "failed to read: %s\n", srvcert);
return sc;
}
if(!sc->server_key){
return sc;
}
if(!(sc->cli_ctx = ssl_cli_ctx(sc, sc->server_cert, sc->server_key, &errSSL))){
if(!(sc->cli_ctx = ssl_cli_ctx(sc, NULL, sc->server_key, &errSSL))){
fprintf(stderr, "failed to create context: %s\n", errSSL);
return sc;
}
if(SSL_CTX_use_certificate_chain_file(sc->cli_ctx, srvcert) != 1){
fprintf(stderr, "failed to read server cert: %s\n", srvcert);
return sc;
}
sc->serv = 1;
}
if(mitm || cli || serv){
@ -534,7 +533,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
#endif
else
SSL_CTX_set_default_verify_paths(sc->srv_ctx);
SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
}
}
#ifdef WIWHSPLICE