Re: [exim-dev] [Bug 2092] Should support dual-key configurat…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2092] Should support dual-key configuration with lists of keys/certs
On Thu, Nov 02, 2017 at 12:15:16PM +0000, admin@??? wrote:

> OpenSSL:
> The Notes section of SSL_CTX_use_certificate_chain_file(3ssl) uses the word
> "added", implying we can call it multiple times. The description for
> SSL_CTX_use_PrivateKey_file() also says "added".


I may have mentioned this on this list before, but just in case:

    * Some versions of OpenSSL prior to 1.1.0 (don't recall whether
      this includes 1.0.2 or not), don't correctly handle the
      issuer certificate lists when using multiple chain files.


IIRC, the last chain file loaded was used to provide the issuer
certificates for all the public key types. The work-around is to
make sure that all the issuer certificates needed by *any* leaf
cert are present in *each* chain file.

It would be great if you could test this with 1.0.2, and post your
findings (likely worth documenting, if 1.0.2 still exhibits the
anomaly).

-- 
    Viktor.