Use algorithm specific chains for certificates.

Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.

diff --git a/CHANGES b/CHANGES
index 111db939f94a508d66bb203b22446b1506162a96..797c02118c11938899035b19b58ce9ae72034c1c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 

+  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+     this fixes a limiation in previous versions of OpenSSL.
+     [Steve Henson]
+

   *) Experimental encrypt-then-mac support.
     
      Experimental support for encrypt then mac from
   *) Experimental encrypt-then-mac support.
     
      Experimental support for encrypt then mac from

diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod
index 10be95fdb1099f398cf737ea0c7b9edf9db4c16d..80321b8580e3f8e5f88acc3f5802d09e3b620855 100644 (file)
--- a/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/doc/ssl/SSL_CTX_use_certificate.pod
@@ -109,10 +109,9 @@ this B<ssl>, the last item added into B<ctx> will be checked.
 
 =head1 NOTES
   
 
 =head1 NOTES
   

-The internal certificate store of OpenSSL can hold two private key/certificate
-pairs at a time: one key/certificate of type RSA and one key/certificate
-of type DSA. The certificate used depends on the cipher select, see
-also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
+The internal certificate store of OpenSSL can hold several private
+key/certificate pairs at a time. The certificate used depends on the
+cipher selected, see also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.

 
 When reading certificates and private keys from file, files of type
 SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
 
 When reading certificates and private keys from file, files of type
 SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain


@@ -122,16 +121,13 @@ Files of type SSL_FILETYPE_PEM can contain more than one item.
 
 SSL_CTX_use_certificate_chain_file() adds the first certificate found
 in the file to the certificate store. The other certificates are added
 
 SSL_CTX_use_certificate_chain_file() adds the first certificate found
 in the file to the certificate store. The other certificates are added

-to the store of chain certificates using
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
-There exists only one extra chain store, so that the same chain is appended
-to both types of certificates, RSA and DSA! If it is not intended to use
-both type of certificate at the same time, it is recommended to use the
-SSL_CTX_use_certificate_chain_file() instead of the
-SSL_CTX_use_certificate_file() function in order to allow the use of
-complete certificate chains even when no trusted CA storage is used or
-when the CA issuing the certificate shall not be added to the trusted
-CA storage.
+to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single
+certificate chain store for all certificate types, OpenSSL 1.0.2 and later
+have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() 
+should be used instead of the SSL_CTX_use_certificate_file() function in order
+to allow the use of complete certificate chains even when no trusted CA
+storage is used or when the CA issuing the certificate shall not be added to
+the trusted CA storage.

 
 If additional certificates are needed to complete the chain during the
 TLS negotiation, CA certificates are additionally looked up in the
 
 If additional certificates are needed to complete the chain during the
 TLS negotiation, CA certificates are additionally looked up in the

diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 953295518dc374b280df3cb4e26b38ec95011f27..7fcd8460a3e5832c385e264f033b154b4f77225b 100644 (file)
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -758,19 +758,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                X509 *ca;
                int r;
                unsigned long err;
                X509 *ca;
                int r;
                unsigned long err;

-               
-               if (ctx->extra_certs != NULL)
-                       {
-                       sk_X509_pop_free(ctx->extra_certs, X509_free);
-                       ctx->extra_certs = NULL;
-                       }

 
 

+               SSL_CTX_clear_chain_certs(ctx);
+               

                while ((ca = PEM_read_bio_X509(in, NULL,
                                        ctx->default_passwd_callback,
                                        ctx->default_passwd_callback_userdata))
                        != NULL)
                        {
                while ((ca = PEM_read_bio_X509(in, NULL,
                                        ctx->default_passwd_callback,
                                        ctx->default_passwd_callback_userdata))
                        != NULL)
                        {

-                       r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+                       r = SSL_CTX_add0_chain_cert(ctx, ca);

                        if (!r) 
                                {
                                X509_free(ca);
                        if (!r) 
                                {
                                X509_free(ca);