uint32_t verify_depth; //!< Maximum number of certificates we can traverse
//!< when attempting to reach the presented certificate
//!< from our Root CA.
- bool auto_chain; //!< Allow OpenSSL to build certificate chains
- //!< from all certificates it has available.
- //!< If false, the complete chain must be provided in
- //!< certificate file.
bool disable_single_dh_use;
float tls_max_version; //!< Maximum TLS version allowed.
CONF_PARSER fr_tls_server_config[] = {
{ FR_CONF_OFFSET("virtual_server", FR_TYPE_VOID, fr_tls_conf_t, virtual_server), .func = virtual_server_cf_parse },
- { FR_CONF_OFFSET("auto_chain", FR_TYPE_BOOL, fr_tls_conf_t, auto_chain), .dflt = "yes" },
-
{ FR_CONF_OFFSET("chain", FR_TYPE_SUBSECTION | FR_TYPE_MULTI, fr_tls_conf_t, chains),
.subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t",
.subcs = tls_chain_config, .ident2 = CF_IDENT_ANY },
* unless we tell it to not do that. The problem is that
* it sometimes gets the chains right from a certificate
* signature view, but wrong from the clients view.
+ *
+ * It's better just to have users specify the complete
+ * chains.
*/
- if (!conf->auto_chain) mode |= SSL_MODE_NO_AUTO_CHAIN;
+ mode |= SSL_MODE_NO_AUTO_CHAIN;
if (client) {
mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
projects / thirdparty / freeradius-server.git / commitdiff
