Replace reference to 'extra_certs' for BoringSSL/OpenSSL 1.0.2 and later #74

Closed
byllyfish opened this Issue Jul 11, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@byllyfish

ASIO no longer compiles when using the latest BoringSSL because ASIO accesses the extra_certs member directly in context::use_certificate_chain. To clear the certificate chain, OpenSSL 1.0.2 added a new API you can use: SSL_CTX_clear_chain_certs

Here is a patch for context.ipp:

diff --git a/asio/include/asio/ssl/impl/context.ipp b/asio/include/asio/ssl/impl/context.ipp
index 08705e7..77da84e 100644
--- a/asio/include/asio/ssl/impl/context.ipp
+++ b/asio/include/asio/ssl/impl/context.ipp
@@ -539,11 +539,15 @@ asio::error_code context::use_certificate_chain(
       return ec;
     }

+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+    ::SSL_CTX_clear_chain_certs(handle_);
+#else
     if (handle_->extra_certs)
     {
       ::sk_X509_pop_free(handle_->extra_certs, X509_free);
       handle_->extra_certs = 0;
     }
+#endif // (OPENSSL_VERSION_NUMBER >= 0x10002000L)

     while (X509* cacert = ::PEM_read_bio_X509(bio.p, 0,
           handle_->default_passwd_callback,

@BenPope BenPope referenced this issue in nghttp2/nghttp2 Sep 29, 2015

Closed

Support BoringSSL #373

@mlt mlt referenced this issue in PurpleI2P/i2pd Nov 11, 2015

Closed

openssl branch #287

@chriskohlhoff

This comment has been minimized.

Show comment
Hide comment
Owner

chriskohlhoff commented Dec 3, 2015

Fixed in 6c70257.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment