SSL_CTX_add_extra_chain_cert transfers ownership of the given certificate,
so it's best to call X509_STORE_add_cert with that certificate before
rather than after it. (This doesn't cause a problem today because OpenSSL
keeps a reference around and no other calls to modify the chain are made
between. As you might guess from this message, this is not always true
within Google!)
--- test/MockHTTPinC/MockHTTP_server.c (revision 1781186)
+++ test/MockHTTPinC/MockHTTP_server.c (working copy)
@@ -2755,8 +2755,8 @@
X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
+ X509_STORE_add_cert(store, ssl_cert);
SSL_CTX_add_extra_chain_cert(ssl_ctx->ctx, ssl_cert);
- X509_STORE_add_cert(store, ssl_cert);
}
}
Cheers
AGL
