On 2017-11-02 at 18:00 +0000, Viktor Dukhovni wrote:
> IIRC, the last chain file loaded was used to provide the issuer
> certificates for all the public key types. The work-around is to
> make sure that all the issuer certificates needed by *any* leaf
> cert are present in *each* chain file.
Presumably this is covered under the OpenSSL CHANGES file item in the
list under "Changes between 1.0.1l and 1.0.2 [22 Jan 2015]":
} *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
} this fixes a limiation in previous versions of OpenSSL.
} [Steve Henson]
-Phil
