From 876efd6b752e991c699d27d3d0ad9a47e9d35c29 Mon Sep 17 00:00:00 2001
From: Richard Bradfield <bradfier@fstab.me>
Date: Fri, 25 Feb 2022 10:46:16 +0000
Subject: [PATCH] Correctly load certificate chains into OpenSSL

Fix a longstanding bug where we were only loading the first (i.e. the
leaf) certificate from any PEM file supplied by the user, this works in
a lot of cases because most certificates are issued directly by trusted
roots (LetsEncrypt for example), but chains that require an intermediate
are by no means uncommon.
---
 src/ssl/openssl.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/ssl/openssl.rs b/src/ssl/openssl.rs
index 3a4daf7a..1bc96d35 100644
--- a/src/ssl/openssl.rs
+++ b/src/ssl/openssl.rs
@@ -74,8 +74,15 @@ impl OpenSslContext {
 
         let mut ctx = openssl::ssl::SslContext::builder(ssl::SslMethod::tls())?;
         ctx.set_cipher_list("DEFAULT")?;
-        let cert = X509::from_pem(&certificates)?;
-        ctx.set_certificate(&cert)?;
+        let certificate_chain = X509::stack_from_pem(&certificates)?;
+        if certificate_chain.is_empty() {
+            return Err("Couldn't extract certificate chain from config.".into());
+        }
+        // The leaf certificate must always be first in the PEM file
+        ctx.set_certificate(&certificate_chain[0])?;
+        for chain_cert in certificate_chain.into_iter().skip(1) {
+            ctx.add_extra_chain_cert(chain_cert)?;
+        }
         let key = PKey::private_key_from_pem(&private_key)?;
         ctx.set_private_key(&key)?;
         ctx.set_verify(SslVerifyMode::NONE);