Skip to content

Commit

Permalink
crypto: use SSL_CTX_clear_extra_chain_certs.
Browse files Browse the repository at this point in the history
The SSL_CTX_clear_extra_chain_certs function clears the extra
certificates associated with an SSL_CTX without reaching into the
SSL_CTX structure itself (which will become impossible in OpenSSL
1.1.0). The underlying implementation in OpenSSL[1] is the same what the
code was doing and OpenSSL has provided this function since 0.9.8 so
this change should be fully compatible.

[1] https://github.com/nodejs/node/blob/master/deps/openssl/openssl/ssl/s3_lib.c#L3899

PR-URL: #4919
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
  • Loading branch information
agl authored and rvagg committed Feb 8, 2016
1 parent e95fd6a commit 0d4b538
Showing 1 changed file with 1 addition and 4 deletions.
5 changes: 1 addition & 4 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -521,10 +521,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
// the CA certificates.
int r;

if (ctx->extra_certs != nullptr) {
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = nullptr;
}
SSL_CTX_clear_extra_chain_certs(ctx);

for (int i = 0; i < sk_X509_num(extra_certs); i++) {
X509* ca = sk_X509_value(extra_certs, i);
Expand Down

0 comments on commit 0d4b538

Please sign in to comment.