MINOR: ssl: add extra chain compatibility
cert_key_and_chain handling is now outside openssl 1.0.2 #if: the
code must be libssl compatible. SSL_CTX_add1_chain_cert and
SSL_CTX_set1_chain requires openssl >= 1.0.2, replace it by legacy
SSL_CTX_add_extra_chain_cert when SSL_CTX_set1_chain is not provided.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b6b7057..cd05421 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3045,11 +3045,24 @@
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+#ifdef SSL_CTX_set1_chain
if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", path);
return 1;
}
+#else
+ { /* legacy compat (< openssl 1.0.2) */
+ X509 *ca;
+ while ((ca = sk_X509_shift(ckch->chain)))
+ if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
+ memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+ err && *err ? *err : "", path);
+ X509_free(ca);
+ return 1;
+ }
+ }
+#endif
if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",