On 03.01.2014 23:51, Dr Stephen Henson wrote: > On 28/12/2013 13:34, Kaspar Brand wrote: >> FYI: in r1553824 (which I just committed to trunk), I'm now manually >> shuffling things around to support per-cert chains - but would happily >> drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide >> to adapt SSL_CTX_use_certificate_chain_file in 1.0.2. >> > > Now done for OpenSSL master and 1.0.2 branches.
Thanks, I have removed the code in r1555463 therefore. Assuming that the release of 1.0.2 isn't too far away by now, I have added a backport proposal for 2.4.x. Votes/reviews welcome. (And while I have your attention: could you perhaps have a look at OpenSSL's PRs #3178 and #3183? Both would help in improving SNI-based configurations.) Kaspar