SSL_CTX_add_extra_chain_cert transfers ownership of the given certificate, so it's best to call X509_STORE_add_cert with that certificate before rather than after it. (This doesn't cause a problem today because OpenSSL keeps a reference around and no other calls to modify the chain are made between. As you might guess from this message, this is not always true within Google!)
--- test/MockHTTPinC/MockHTTP_server.c (revision 1781186) +++ test/MockHTTPinC/MockHTTP_server.c (working copy) @@ -2755,8 +2755,8 @@ X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL); fclose(fp); + X509_STORE_add_cert(store, ssl_cert); SSL_CTX_add_extra_chain_cert(ssl_ctx->ctx, ssl_cert); - X509_STORE_add_cert(store, ssl_cert); } } Cheers AGL