On 28/12/2013 13:34, Kaspar Brand wrote: > On 18.11.2013 18:42, Kaspar Brand wrote: >> On 18.11.2013 15:38, Dr Stephen Henson wrote: >>> For OpenSSL 1.0.2 this limitation is removed and you can have different >>> chains >>> for each certificate type (and for SSL structures too) and it just uses the >>> right one. This uses the function SSL_CTX_add1_chain_cert which adds a >>> certificate to the chain for the current certificate. >>> >>> I *could* change SSL_CTX_use_certificate_chain_file to use >>> SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps >>> have >>> a different function. I'm always cautious about changing the behaviour of >>> existing functions though as the most innocent change will usually break >>> *something*, though I can't see how it can in this case. >> >> I would be in favor this change for 1.0.2 - to me that would be more >> like a "fix" of SSL_CTX_use_certificate_chain_file than a change in >> behavior, actually. > > FYI: in r1553824 (which I just committed to trunk), I'm now manually > shuffling things around to support per-cert chains - but would happily > drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide > to adapt SSL_CTX_use_certificate_chain_file in 1.0.2. >
Now done for OpenSSL master and 1.0.2 branches. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
