> On Nov 2, 2017, at 3:39 PM, Phil Pennock <pdp@???> wrote:
>
> On 2017-11-02 at 18:00 +0000, Viktor Dukhovni wrote:
>> IIRC, the last chain file loaded was used to provide the issuer
>> certificates for all the public key types. The work-around is to
>> make sure that all the issuer certificates needed by *any* leaf
>> cert are present in *each* chain file.
>
> Presumably this is covered under the OpenSSL CHANGES file item in the
> list under "Changes between 1.0.1l and 1.0.2 [22 Jan 2015]":
>
> } *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
> } this fixes a limiation in previous versions of OpenSSL.
> } [Steve Henson]
That sounds about right. Worth a test, but looks promising.
--
Viktor.