I've come up against an issue in one of my deployments which I've traced back to this and provide a fix for below if someone would be so kind as to submit it for me :)
At present, ssl.c loads the user's provided SSL certificate set in HS_SSLCERTFILE using SSL_CTX_use_certificate file:
openssl_use_certificate(openssl_env *env, char *file) {
if (file)
if (SSL_CTX_use_certificate_file(env->ctx, file, SSL_FILETYPE_PEM) > 0)
return 1;
syslog(LOG_ERR, "%s: could not load certificate file %s\n", strerror(errno), file);
return 0;
This works fine as is however breaks chained certificate files (including intermediate trusts).
As per https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html , using SSL_CTX_use_certificate_file isn't recommended for this reason (see the NOTES section). There may be a good reason for using _file in which case please disregard this and I'll just go ahead with my deployment but I have attached below a modified version of ssl.c using SSL_CTX_use_certificate_chain_file instead which I have tested working with chained and unchained certificates.
Hi All,
I've come up against an issue in one of my deployments which I've traced back to this and provide a fix for below if someone would be so kind as to submit it for me :)
At present, ssl.c loads the user's provided SSL certificate set in HS_SSLCERTFILE using SSL_CTX_use_certificate file:
This works fine as is however breaks chained certificate files (including intermediate trusts).
As per https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html , using SSL_CTX_use_certificate_file isn't recommended for this reason (see the NOTES section). There may be a good reason for using _file in which case please disregard this and I'll just go ahead with my deployment but I have attached below a modified version of ssl.c using SSL_CTX_use_certificate_chain_file instead which I have tested working with chained and unchained certificates.
Kind Regards, Daniel Sullivan Reticulum IT
ssl.txt