From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 8 Oct 2021 19:42:43 +0000 (-0500)
Subject: Disable auto_chain entirely
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72fd8198bdc427e238a590e5d845e5c4472bb0f1;p=thirdparty%2Ffreeradius-server.git

Disable auto_chain entirely

It just causes confusion and annoyance
---

diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h
index 4a4f2a8ae43..b3a78bd2e15 100644
--- a/src/lib/tls/conf-h
+++ b/src/lib/tls/conf-h
@@ -143,10 +143,6 @@ struct fr_tls_conf_s {
 	uint32_t	verify_depth;			//!< Maximum number of certificates we can traverse
 							//!< when attempting to reach the presented certificate
 							//!< from our Root CA.
-	bool		auto_chain;			//!< Allow OpenSSL to build certificate chains
-							//!< from all certificates it has available.
-							//!< If false, the complete chain must be provided in
-							//!< certificate file.
 	bool		disable_single_dh_use;
 
 	float		tls_max_version;		//!< Maximum TLS version allowed.
diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c
index b168f8f0623..651afab9da9 100644
--- a/src/lib/tls/conf.c
+++ b/src/lib/tls/conf.c
@@ -152,8 +152,6 @@ static CONF_PARSER tls_verify_config[] = {
 CONF_PARSER fr_tls_server_config[] = {
 	{ FR_CONF_OFFSET("virtual_server", FR_TYPE_VOID, fr_tls_conf_t, virtual_server), .func = virtual_server_cf_parse },
 
-	{ FR_CONF_OFFSET("auto_chain", FR_TYPE_BOOL, fr_tls_conf_t, auto_chain), .dflt = "yes" },
-
 	{ FR_CONF_OFFSET("chain", FR_TYPE_SUBSECTION | FR_TYPE_MULTI, fr_tls_conf_t, chains),
 	  .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t",
 	  .subcs = tls_chain_config, .ident2 = CF_IDENT_ANY },
diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
index 9978cd301ef..6b469f482da 100644
--- a/src/lib/tls/ctx.c
+++ b/src/lib/tls/ctx.c
@@ -719,8 +719,11 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
 		 *	unless we tell it to not do that.  The problem is that
 		 *	it sometimes gets the chains right from a certificate
 		 *	signature view, but wrong from the clients view.
+		 *
+		 *	It's better just to have users specify the complete
+		 *	chains.
 		 */
-		if (!conf->auto_chain) mode |= SSL_MODE_NO_AUTO_CHAIN;
+		mode |= SSL_MODE_NO_AUTO_CHAIN;
 
 		if (client) {
 			mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;