]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Load full certificate chain from a certificate chain file
authorArtem Boldariev <artem@boldariev.com>
Tue, 9 Mar 2021 12:45:03 +0000 (14:45 +0200)
committerArtem Boldariev <artem@boldariev.com>
Tue, 16 Mar 2021 09:49:04 +0000 (11:49 +0200)
This commit fixes loading the certificate chain files so that the full
chain could be sent to the clients which require that for
verification. Before that fix only the top most certificate would be
loaded from the chain and sent to clients preventing some of them to
perform certificate validation (e.g. Windows 10 DoH client).

lib/isc/tls.c

index 8a3f5cc41b53c12d164dfecc48163434ed5476f7..d15fc16b1cea8329ad7d60aa4ca0f8ac7fdf9180 100644 (file)
@@ -311,8 +311,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
                EVP_PKEY_free(pkey);
                BN_free(bn);
        } else {
-               rv = SSL_CTX_use_certificate_file(ctx, certfile,
-                                                 SSL_FILETYPE_PEM);
+               rv = SSL_CTX_use_certificate_chain_file(ctx, certfile);
                if (rv != 1) {
                        goto ssl_error;
                }