On 18.11.2013 18:42, Kaspar Brand wrote: > On 18.11.2013 15:38, Dr Stephen Henson wrote: >> For OpenSSL 1.0.2 this limitation is removed and you can have different >> chains >> for each certificate type (and for SSL structures too) and it just uses the >> right one. This uses the function SSL_CTX_add1_chain_cert which adds a >> certificate to the chain for the current certificate. >> >> I *could* change SSL_CTX_use_certificate_chain_file to use >> SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps >> have >> a different function. I'm always cautious about changing the behaviour of >> existing functions though as the most innocent change will usually break >> *something*, though I can't see how it can in this case. > > I would be in favor this change for 1.0.2 - to me that would be more > like a "fix" of SSL_CTX_use_certificate_chain_file than a change in > behavior, actually.
FYI: in r1553824 (which I just committed to trunk), I'm now manually shuffling things around to support per-cert chains - but would happily drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide to adapt SSL_CTX_use_certificate_chain_file in 1.0.2. Kaspar
