OpenSSL: Make sure local certificate auto chaining is enabled

Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 9ca58b3cef7111f8c84313da6de54a991977ba55..e2749755f58c128950f7118561c958d366c03e04 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -972,6 +972,14 @@ void * tls_init(const struct tls_config *conf)
        SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
        SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
 
+#ifdef SSL_MODE_NO_AUTO_CHAIN
+       /* Number of deployed use cases assume the default OpenSSL behavior of
+        * auto chaining the local certificate is in use. BoringSSL removed this
+        * functionality by default, so we need to restore it here to avoid
+        * breaking existing use cases. */
+       SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
+#endif /* SSL_MODE_NO_AUTO_CHAIN */
+
        SSL_CTX_set_info_callback(ssl, ssl_info_cb);
        SSL_CTX_set_app_data(ssl, context);
        if (data->tls_session_lifetime > 0) {