Merge branch '2514-tls-cert-chain' into 'main'

Load full certificate chain from a certificate chain file Closes #2514 See merge request isc-projects/bind9!4792
2025-08-31 14:35:26 +00:00 · 2021-03-16 10:33:35 +00:00
parent 6dee5c1b28 c69fafdd65
commit 50eaa0f38f
2 changed files with 5 additions and 2 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
+5600.	[bug]		Load a certificate chain file so that the full chain is
+			sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH)
+			clients that require full chain verification. [GL #2514]
+
 5599.	[bug]		Fix a crash when transferring a zone over TLS,
 			after "named" previously skipped a master. [GL #2562]

--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -311,8 +311,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		EVP_PKEY_free(pkey);
 		BN_free(bn);
 	} else {
-		rv = SSL_CTX_use_certificate_file(ctx, certfile,
-						  SSL_FILETYPE_PEM);
+		rv = SSL_CTX_use_certificate_chain_file(ctx, certfile);
 		if (rv != 1) {
 			goto ssl_error;
 		}