On Thu, Dec 3, 2015 at 11:49 AM, Rainer Jung <[email protected]> wrote:
> I did a 2.2 to 2.4 migration today. The old 2.2 server was using a > certificate file, which was DER encoded and the new 2.4 one didn't like it. > > It seems support for DER encoded certs was removed in 2.4.8 as a side > effect of r1573360 (bckport of r1553824). The certificate in 2.2 is read > using SSL_read_X509() which tries PEM but also DER. After the change, the > OpenSSL API SSL_read_X509() is used, which only accepts PEM. > > Is that problem analysis right? If so we'd need to decide, whether we keep > it as is (no one complained, so DER seems to be rare) and simply document > the change in the changelog and migration guide, or whether we still need > to support DER encoded certs. > I think you meant PEM_read_bio_* and PEM_X509_INFO_read_bio in the 2.4.8+ implementation. What I don't grok is why there are no corresponding DER_ functions exposed by openssl? If there were, fail-over seems simple enough. > IMHO documenting the change would be enough. > That's a good start for anyone tripping over 2.4.8-2.4.x, whether it is fixed or not.
