summaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/vtls/openssl.c')
-rw-r--r--lib/vtls/openssl.c18
1 files changed, 8 insertions, 10 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 48a4c0b02..eb625fe93 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -493,21 +493,19 @@ int cert_stuff(struct connectdata *conn,
/*
* Note that sk_X509_pop() is used below to make sure the cert is
* removed from the stack properly before getting passed to
- * SSL_CTX_add_extra_chain_cert(). Previously we used
- * sk_X509_value() instead, but then we'd clean it in the subsequent
- * sk_X509_pop_free() call.
+ * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
+ * we used sk_X509_value() instead, but then we'd clean it in the
+ * subsequent sk_X509_pop_free() call.
*/
X509 *x = sk_X509_pop(ca);
- if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+ if(!SSL_CTX_add_client_CA(ctx, x)) {
X509_free(x);
- failf(data, "cannot add certificate to certificate chain");
+ failf(data, "cannot add certificate to client CA list");
goto fail;
}
- /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
- * presumably because it duplicates what we pass to it.
- */
- if(!SSL_CTX_add_client_CA(ctx, x)) {
- failf(data, "cannot add certificate to client CA list");
+ if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
+ X509_free(x);
+ failf(data, "cannot add certificate to certificate chain");
goto fail;
}
}