On Thu, Nov 02, 2017 at 12:15:16PM +0000, admin@??? wrote:
> OpenSSL:
> The Notes section of SSL_CTX_use_certificate_chain_file(3ssl) uses the word
> "added", implying we can call it multiple times. The description for
> SSL_CTX_use_PrivateKey_file() also says "added".
I may have mentioned this on this list before, but just in case:
* Some versions of OpenSSL prior to 1.1.0 (don't recall whether
this includes 1.0.2 or not), don't correctly handle the
issuer certificate lists when using multiple chain files.
IIRC, the last chain file loaded was used to provide the issuer
certificates for all the public key types. The work-around is to
make sure that all the issuer certificates needed by *any* leaf
cert are present in *each* chain file.
It would be great if you could test this with 1.0.2, and post your
findings (likely worth documenting, if 1.0.2 still exhibits the
anomaly).
--
Viktor.