[PATCH] RSA+DSA+ECC bundles

Rob Stradling rob.stradling at comodo.com
Thu Oct 24 12:08:27 UTC 2013


On 23/10/13 22:55, Piotr Sikora wrote:
> Hey Rob,
>
>> #if OPENSSL_VERSION_NUMBER >= 0x10002000L
>>      // OpenSSL 1.0.2 lets us do this properly
>>      Call SSL_CTX_add1_chain_cert(ssl->ctx, x509)
>> #else
>>      If (number of ssl_certificate directives > 1)
>>          // Put this intermediate in the "trusted certificates store"
>>          Call X509_STORE_add_cert(ssl->ctx->cert_store, x509)
>>      Else
>>          // This is what Nginx does currently
>>          Call SSL_CTX_add_extra_chain_cert(ssl->ctx, x509)
>>      End If
>> #endif
>
> For the consistency sake, you should be using
> SSL_CTX_add0_chain_cert(), since it doesn't increase OpenSSL's
> internal reference count, same as SSL_CTX_add_extra_chain_cert()... If
> you want use SSL_CTX_add1_chain_cert() then you should free x509
> afterwards.

Good point.  Thanks Piotr!

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the nginx-devel mailing list