On Wed, 2009-06-03 at 17:59 -0400, Victor Duchovni wrote: > The SSL_CTX_use_certificate_chain_file() API is a very admin friendly > way to support installation of cert + chain and even key + cert + chain, > as the key can also be stored in the same file (ideally mode 0600 or > passphrase-protected).
Much like a PKCS#12 file, in fact. I'll make my VPN client use SSL_CTX_use_certificate_chain_file(), and I'll also look at making our cert-fetching scripts generate an appropriate file. Thanks. In the meantime the bug seems to have been fixed on the server so it doesn't _need_ me to submit a full certificate chain any more. Either they've deployed a fix for RT#1942, or the admins have just removed the old, conflicting CA certs from the CA bundle. -- dwmw2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org