Description
When loading intermediate SSL certificates, the original code used SSL_CTX_add_extra_chain_cert_file which adds all the certificates in the file.
The new code uses SSL_CTX_add0_chain_cert and passes it a single X509 *, so it only ends up loading the first intermediate rather than all of them.
This code occurs in 3 places with ugly #ifdefs. The right thing to do here is to call SSL_CTX_add_extra_chain_cert_file in every place and inside SSL_CTX_add_extra_chain_cert_file use SSL_CTX_add0_chain_cert if it is available.
Also take a look at the place where the server certificate is loaded. This is also allowed to be a bundle, so we can call SSL_CTX_add_extra_chain_cert_file again to avoid the code duplication, though at this point we already have a BIO in hand that we would need to use.
Attachments
Issue Links
- is related to
-
TS-4180 Support for serving multiple intermediate cert chains
-
- Closed
-
- links to
