fix validation of self-signed cert chains

The interface here is a bit weird - if the verify callback returns 1
for a certificate higher up in the chain, this will propagate to the
next invocation of the callback for the next certificate, even if
openssl on its own would not trust the certificate.

By re-ordering the checks and keeping track of the fact that we
returned 1 despite openssl failing its own validation, the validation
logic should now cover all combinations of certificate count and
self-signed/system trust status.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/APIClient/LWP.pm b/src/PVE/APIClient/LWP.pm
index 722b35ad9911881b803d46244962de14cf876158..f753109478867986894ecf2227f67fda7fdb00be 100755 (executable)
--- a/src/PVE/APIClient/LWP.pm
+++ b/src/PVE/APIClient/LWP.pm
@@ -415,11 +415,18 @@ sub new {
        $ssl_opts->{'SSL_verify_callback'} = sub {
            my ($openssl_valid, undef, undef, undef, $cert, $depth) = @_;
 
-           # we don't care about intermediate or root certificates
-           return 1 if $depth != 0;
-
            return 1 if $trust_openssl && $openssl_valid;
 
+           # Openssl encountered validation error, only allow validation to
+           # pass if fingerprint is verified
+           $trust_openssl = 0;
+
+           # We don't care about intermediate or root certificates if we don't
+           # trust openssl's validation result
+           return 1 if $depth != 0;
+
+           # We've reached the leaf certificate and the chain didn't pass
+           # openssl's validation - let's verify the fingerprint!
            return verify_cert_callback($fingerprints, $cert, $verify_fingerprint_cb);
        }
     }