Use algorithm specific chains for certificates.

Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm specific chains instead of the shared chain. Update docs. (cherry picked from commit a4339ea3ba045b7da038148f0d48ce25f2996971) Conflicts: CHANGES
2014-01-03 22:38:03 +00:00 · 2014-01-03 22:38:03 +00:00 · b9fa413a08
commit b9fa413a08
parent 4abe148444
3 changed files with 17 additions and 21 deletions
--- a/4
+++ b/4
@ -4,6 +4,10 @@
 Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]
  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limiation in previous versions of OpenSSL.
     [Steve Henson]
  *) TLS pad extension: draft-agl-tls-padding-02
     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
--- a/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/doc/ssl/SSL_CTX_use_certificate.pod
@ -109,10 +109,9 @@ this B<ssl>, the last item added into B<ctx> will be checked.
 =head1 NOTES
-The internal certificate store of OpenSSL can hold two private key/certificate
+The internal certificate store of OpenSSL can hold several private
-pairs at a time: one key/certificate of type RSA and one key/certificate
+key/certificate pairs at a time. The certificate used depends on the
-of type DSA. The certificate used depends on the cipher select, see
+cipher selected, see also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
 also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
 When reading certificates and private keys from file, files of type
 SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
@ -122,16 +121,13 @@ Files of type SSL_FILETYPE_PEM can contain more than one item.
 SSL_CTX_use_certificate_chain_file() adds the first certificate found
 in the file to the certificate store. The other certificates are added
-to the store of chain certificates using
+to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
+certificate chain store for all certificate types, OpenSSL 1.0.2 and later
-There exists only one extra chain store, so that the same chain is appended
+have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() 
-to both types of certificates, RSA and DSA! If it is not intended to use
+should be used instead of the SSL_CTX_use_certificate_file() function in order
-both type of certificate at the same time, it is recommended to use the
+to allow the use of complete certificate chains even when no trusted CA
-SSL_CTX_use_certificate_chain_file() instead of the
+storage is used or when the CA issuing the certificate shall not be added to
-SSL_CTX_use_certificate_file() function in order to allow the use of
+the trusted CA storage.
 complete certificate chains even when no trusted CA storage is used or
 when the CA issuing the certificate shall not be added to the trusted
 CA storage.
 If additional certificates are needed to complete the chain during the
 TLS negotiation, CA certificates are additionally looked up in the
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@ -763,18 +763,14 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		int r;
 		unsigned long err;
-		if (ctx->extra_certs != NULL)
+		SSL_CTX_clear_chain_certs(ctx);
 			{
 			sk_X509_pop_free(ctx->extra_certs, X509_free);
 			ctx->extra_certs = NULL;
 			}
 		while ((ca = PEM_read_bio_X509(in, NULL,
 					ctx->default_passwd_callback,
 					ctx->default_passwd_callback_userdata))
 			!= NULL)
 			{
-			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+			r = SSL_CTX_add0_chain_cert(ctx, ca);
 			if (!r) 
 				{
 				X509_free(ca);