From: Maxim Dounin <mdounin@mdounin.ru>
Date: Sun, 22 Mar 2015 23:42:35 +0000 (+0300)
Subject: SSL: use of SSL_MODE_NO_AUTO_CHAIN.
X-Git-Tag: release-1.7.11~18
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=47c44355b597da41b9b5159a5678525e00bea3bd;p=nginx.git

SSL: use of SSL_MODE_NO_AUTO_CHAIN.

The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically
building a certificate chain on the fly if there is no certificate chain
explicitly provided.  Before this change, certificates provided via the
ssl_client_certificate and ssl_trusted_certificate directives were
used by OpenSSL to automatically build certificate chains, resulting
in unexpected (and in some cases unneeded) chains being sent to clients.
---

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 83186f582..1b789e687 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -285,6 +285,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
 
+#ifdef SSL_MODE_NO_AUTO_CHAIN
+    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
+#endif
+
     SSL_CTX_set_read_ahead(ssl->ctx, 1);
 
     SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);