On 05/02/2014 07:17, Kaspar Brand wrote: > > There are two ways to address the issue: either in mod_ssl, or in > OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will > hopefully tell us... (Steve: in theory, modifying the behavior of > SSL_CTX_get_extra_chain_certs should be acceptable, given that only > SSL_CTX_get0_chain_certs is documented, what do you think?) >
In OpenSSL a function being undocumented is no guarantee something wont call it ;-) It's not totally clear cut. With that change an application can no longer obtain the extra_chain_certs only and get NULL if there aren't any. However an application which is explicitly using per-certificate chains shouldn't be using the extra_chain_certs anyway. OTOH an existing application could uses SSL_CTX_use_certificate_chain_file and then try to retrieve extra chain certificates using SSL_CTX_get_extra_chain_certs. With the 1.0.2 changes to SSL_CTX_use_certificate_chain_file that would fail in 1.0.2 without that change. On balance I think that change should go in OpenSSL. I'll hear soon enough if it breaks anything... Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com