From: Artem Boldariev Date: Tue, 9 Mar 2021 12:45:03 +0000 (+0200) Subject: Load full certificate chain from a certificate chain file X-Git-Tag: v9.17.12~42^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75363dcb7c03f8a5a8fb2e261149292497473b1c;p=thirdparty%2Fbind9.git Load full certificate chain from a certificate chain file This commit fixes loading the certificate chain files so that the full chain could be sent to the clients which require that for verification. Before that fix only the top most certificate would be loaded from the chain and sent to clients preventing some of them to perform certificate validation (e.g. Windows 10 DoH client). --- diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 8a3f5cc41b5..d15fc16b1ce 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -311,8 +311,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, EVP_PKEY_free(pkey); BN_free(bn); } else { - rv = SSL_CTX_use_certificate_file(ctx, certfile, - SSL_FILETYPE_PEM); + rv = SSL_CTX_use_certificate_chain_file(ctx, certfile); if (rv != 1) { goto ssl_error; }