SSL: use of SSL_MODE_NO_AUTO_CHAIN.

The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically building a certificate chain on the fly if there is no certificate chain explicitly provided. Before this change, certificates provided via the ssl_client_certificate and ssl_trusted_certificate directives were used by OpenSSL to automatically build certificate chains, resulting in unexpected (and in some cases unneeded) chains being sent to clients.
author: Maxim Dounin <mdounin@mdounin.ru> 2015-03-23 02:42:35 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2015-03-23 02:42:35 +0300
commit: 47c44355b597da41b9b5159a5678525e00bea3bd (patch)
tree: fb6b6a11ed55a7cb8ef202830cfddffe638a118e /src
parent: a20c6d202edea3f56f90c9c4c75439e6d834623b (diff)
download: nginx-47c44355b597da41b9b5159a5678525e00bea3bd.tar.gz
nginx-47c44355b597da41b9b5159a5678525e00bea3bd.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 83186f582..1b789e687 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -285,6 +285,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
 
+#ifdef SSL_MODE_NO_AUTO_CHAIN
+    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
+#endif
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
author	Maxim Dounin <mdounin@mdounin.ru>	2015-03-23 02:42:35 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2015-03-23 02:42:35 +0300
commit	47c44355b597da41b9b5159a5678525e00bea3bd (patch)
tree	fb6b6a11ed55a7cb8ef202830cfddffe638a118e /src
parent	a20c6d202edea3f56f90c9c4c75439e6d834623b (diff)
download	nginx-47c44355b597da41b9b5159a5678525e00bea3bd.tar.gz nginx-47c44355b597da41b9b5159a5678525e00bea3bd.zip