[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8586) load cert+chain from TLSCertificateFile

Full_Name: Andreas Schulze
Version: RE24 testing call (2.4.45)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/andreas-schulze-20170211.patch
Submission from: (NULL) (2001:a60:f0b4:e502:80b6:610b:8fc2:abfe)

as discussed on the technical ML it's uncommon to put chain certificates in
TLSCACertificateFile or TLSCACertificatePath. In case of a intermediate CA like
"Let's Encrypt Authority X3" it may be wrong becaus the user is forced to
/TRUST/ that intermediate for a unrelated purpose.

from https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_use_certificate.html#NOTES:

  SSL_CTX_use_certificate_chain_file() should be used instead of the
  SSL_CTX_use_certificate_file() function in order to allow the use of complete
  certificate chains even when no trusted CA storage is used or when the CA
  the certificate shall not be added to the trusted CA storage.

The patch andreas-schulze-20170211.patch only apply for openssl.