[PATCH] RSA+DSA+ECC bundles
Piotr Sikora
piotr at cloudflare.com
Wed Oct 23 21:55:04 UTC 2013
Hey Rob,
> #if OPENSSL_VERSION_NUMBER >= 0x10002000L
> // OpenSSL 1.0.2 lets us do this properly
> Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
> #else
> If (number of ssl_certificate directives > 1)
> // Put this intermediate in the "trusted certificates store"
> Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
> Else
> // This is what Nginx does currently
> Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
> End If
> #endif
For the consistency sake, you should be using
SSL_CTX_add0_chain_cert(), since it doesn't increase OpenSSL's
internal reference count, same as SSL_CTX_add_extra_chain_cert()... If
you want use SSL_CTX_add1_chain_cert() then you should free x509
afterwards.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list